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-^mm^^m-r^ti^i:!. mi^xxfm2i!^^ (2 
a, 2b) iz^\.^x^^-^^^^-iti6xx^mm-r^m\zi^ 

^g* (2a, 2b) ;5^^3S< giti^r. m\^^xim2^~ 

(Ka. Kb) ^lElt-r^r <h 

>J?cr)^5>^— (Kpa, Kpb) ^t^^tl. ^iliJc (R 

AND) (D-^;^:^' $^7hr^*5:<t LT. ?^-o. HufSiett^ 

ttTt^- (Ka, Kb) <O0'h(Ol^^>''t^^'- t\^X. ^ 
(Kpa) ^m^\^mit^i^ (2a) {;i:t.i^ 

^2^55^:3^- (Kpb) ^^2i^7^ (2b) (;iilS>?^{3:^.i|| 

(2 a, 2 b, 2n) COF^I [pIBftT)-^- ^ i^^f (31^^ L 
(2 a, 2 b) io J:t>'d-^/^< <»: t 1 ^>/^5iS7^ (2 

^^7^ (2a, 2b, 2n) ^^^aS<gtnr. $f:>/^6iS5fe 
(2n) (D^i^^-k^n^s-r^^h^^^^- (Kn) ^tS 

^h^^hU^^- (Kpn) ^ilS^ (RAND) O-v- 

fc^b^c^a^- (Kn) t\^X. ^J&'Th^tt. 
-^h^Ji^U^^- (Kpn) (2n) Cl^. 

[Ifjitrl 3 1 i#^3;i2fS«feo::^^i(c:ioi.^r. 

MiEi^T^ (2) cD^i6^^J6^tLfc^V^-y^ (CUG) (7) 
iS^rBl<7)S^/^ii{t^^l:-r6fc&^{c. HfjfEii^^ (2) 
(O^^^l^k^htlfz^^jX^--:^ (CUG) (C^LTCO^V-. Hif 
IE*ii& (RAND) ^f4^oTmrfH^5>^-^^^-r6 
r clr ^ Jr^if a r t ^'m^t-r^:^^^^. 

[|f*:JS5l ir=3r^r&t^^b:=^- K (KR) idtx^o 
X. h!7-^i^31LTm2i^7^ (2b) {:imm 

(Ka) ^iBlt-r^m l^S^^ (2 a) ^13:^ 
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m2iSg7fe (2b) ■CS?S^^;^^6-<#T'fe6;^?£^-:^bH^ 
X. 

i^^tLTta^^- (Kpa) ^mii^^X'SimL. ^5)-^ 
-fi. iia^Jj-Oi^T^^- (Ka) CD-eX>^ ^nfcfJ^-efc 

7!j^o. Bf-^-fl^rn- K^*^-r'57t4C)(7)S (RAN 
D) Xh^Z t 

Bt-^ib='-K (KR) %:mM-r^rc^{z^ Siit^tL/ta 

^:3r- (Kpa) ^fElg^nfc:3e- (Ka) t^. 

10 (2a) (cioi^Ttbt^-rar > >^;i:ii-rec<i:^1#® 

B^-^fb=»-K (KR) (ilt^oT. mii^T^ (2a) (C:Jol> 

^^=-r^^\\L^-Y (KR) (^tt^o 
T. iim^^ry h ^-^^il LT^ l)^7^/9-e>m2i^7^(:i 

20 (Kb) ^fBlt-r-5^2i^7^^^^U. •7^:-^f:im liffi 

(Kpb) ^mzm^x^mx^. ^5^^ 

-fi. jB>s^co5^^^- (Kb) (D-^T.^ ^Mz.Wi^X^ 
"9. ;?i^o. K^^^-r5fc&!)<7)j^ (RAND) hX 

%\^^t^hm\B-^^. ?3^0. B&-^jt=^-K (KR) 

R) ^fflm-r^'ii^ci. (Kpb) > 

lEtt^^/t^- (Ka) <^^. )^7^{:l4bH^-ritt^?-t-6 w 

(KR) {^^>tEoT&t-^{b^t^/cr"-^ B2J^7^(^:fe^ 

MfS^IS^^— (Kpa, Kpb, Kpn) ^ a1 fi^ 60^ fi. 
7^ (2a, 2b, 2n) \zmm ^ :L t ^W&Lt-T ^-^J 

^b-r 5 c <h ^ ^ e) ci^^^i-r ^ct ^m^^ t ^^y^m. 
im^mi 1] m^mi ol^«o:^ri^;liol^r. 

^ffii^r. iiJ[)D^7PBt-^^b^#fTiEiS7^^:I4b^^T^ff-ra 

5<? 7^^-:^i|^ft^^l^^-r^7tse){;i. mi^X-(Jm2^^ (2 



3 

a, 2b) iz^i^^x^r-^^f^^it^xx^mm-t^mzj^ 

m2m^^- (Ka, Kb) ^tu^-r^mm (is) 

(2a, 2b) t^hmnxmm^tx^. mm^x^xm 
^- (Ka. Kb) ^fstt-r6-7^-^sstg^®^> 

^ (RAND) 

fli-^ (t:)^ 1 io^J:t/^ 2 gp^)-^— (Kpa, Kpb) -^^l 

^^n. (RAND) (D-^y^^^tht-m'Sl. io J: t>\ 12 
tt^g{:iilX^^:n./cm]fS^- (Ka, Kb) 0)^^(0^^ 
-th^-t l.X^J&'th^^kt. 

miU'T^^- (Kpa) ^mit^^ (2a) d^t.illL. 
^2aS5>^- (Kpb) ^1Ii^{cS2i^^ (2b) 

t> 1 OO^ b^c^^^^.^iim-rei^^ (2a, 2b. 2 
n) {riiol^T. 

m>^o:>^^^- (Ka) ^fElS-r€>lS'|gc^lS (S I M) 

m^(OWi^^- (Ka) (D-^^^ ^thtrmtX^Mcm'T^ 
(Kpa) BUfe:>/^< <^t> lOO$b/^6^^ 

^^^mi^mm^tL^W: (rand) t^. ^->hr7- 

^;^^b^mL. ;5^o. Pg^-^jb^i-K (KR) ^mlfSt^ 
(RAND) (DmWitl.X^f&'r^tLi^\Z.. lEtt^S 
(SIM) iwtEti$tu"cliI^(7:):3r-^Hfj|Ea55^=3r-i:tb 

K-r^J; 5(^»}fti-6=¥-^;^g#I^ (3 5 a) t. 

^^it^— K (KR) dtA^oT. T-:y h^ — ^^iiLT 

m (3 7) >^:^ii-r'5c>^4#m>"r6i^^o 
(3 8) ^^ii-rer <i:^#m^-r6^^^o 

Bt-^^b^^ (3 7) fi. ^ 1 cDmriEst-^^tn- K (K 

R) dtzEoT. -t- ^ h y ^ii LTiim^ne-r — ^ 
^2(75M^cf 6ttllEfli^-^j(::=i- K (KR) [Z'i^^oX. ^^y 

vv-^^mx^x^m^titL^-^^mm-r^x, b \cm 
v^-r^mm^^ (37) ^^m-r^^Lh^w^h't^y^ 

[0 0 0 1 ] 
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[0 0 0 2] 

^y hM^MmM'>^^-^. ^/tji. m^\^m\mm'A 

mmo 3 6 5 8 8 5^$^(C|E«c^tLfc^ 'J i> ^ J>^ (^B 
^^S2 2 9 5 2 9 6-^<i^$R{C|5«!c^;h./t I CO {^m 

JO mm) mm-^r/i^^y-iy^^M.. ^r-n. mx.'am'hHm^ 

</^mmO 5 1 0 7 8 9-^<c^mzmm.^t\^ti:ty'y't^ 

iyp^y'M.n^^ ^u:^v ^mi.xW}if'r^(7:>x. rp 

[ 0 0 0 3 ] GSM>:^^-A{1. Pt-^f+HJ ^ 

{l-r^o COiltR^^^c^Bt-^ltPfi. {?'J;^fi\ 1 9 8 8^ 
10^12 0-- 1 4 B<D^i>d' /i-±/l^y—m^^^ (D 
CRC) (;i:^l^Tx Deutsche Bundespost <h France Tele 
com <^ Fernuni vers i tat e.^r \C X o TdiKfi ^ 
i'^? CO^jC 4 a" Security aspects and the implementatio 
n in the GSM-system" (Peter C. J. van der Arend) 

GSM 02.09 " Security Aspects" 

GSM 03.20 " Security Related Algorithms" 

r Of+^li{;l:fe^l^T. I^BU^fiEir (AuC) ^ LT 

#[:i>tt-r6fIi-^(7:)Bf-^^b^-#-^ (Ki) ^i^^-r^o 
Z(D^^^-it^-m-^ (Ki) il. ^/t. 
30 (^DA#tt#R^v^^-/^ (SIM) t 

V.X^hth^) :/_LiCfStt$tLao ;(JPA#il> S I 

ix/^iS: (RAND) A u CdctoT^^^tL. 

o. Pt-^^b^- (Kc) ^ft»-t-5/c*:)iw. 

(Ki) Bt-^^b^- (Kc) fl. ir:y 

S) ^^LT. A u C;^>6^P7v.'^(7:^S®]i^*--ill^n 
60 ^tt^^^fi. ^ :^^i:s;:fgc^ S I M--iliao SIM 
A 5 <h^^$;^t6r/u=i'y Xi^^i^ffl LT. S:^^^ 
fc^ >'^^>:^m^lE1t$n/t:3r- (Ki) 

^^(7:»:3p~-Ki^fcflBt-§-^b^--Kc 

[0 0 0 5] ^ V^i:./^^ioJ:t>*Bt-^^b=3^-KcJi. G 

Syi:^'^y VV — ^ (nmrn^W^'y^^ (HLR) — ^ 

50 ^-Ts (ccoT^-^-<-;^ji. r^»,-r6;(jpA#{c^-r6 
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R) --t>i^^;rL> t^^. B T S^-W^^^tl^^o ^ib^^* 

[0 0 0 6] 5^Sbi^^^BTS^(7:'rB^t7:>^*^>'^-:7 
TDMA:7 S5:£::. m^(0 

[0 0 0 8] h l7->^ ^ilLfciil<t(7:>iS7fetSSBt-^ 

^ ti^-r 5 i:i it 6 6^ ?'<f Pp^m . ~A<Di^m^ 
7^ (^fi;tf^. ^xf)-^-(D^m^x<:>xm^^nx\.^ 

^t^—^^ ^Vw-:7°p^(D 2o(0^7^rBl. :fc^J:r/. 

^m\^^j:^^(Dx\ ^^±f^m^x^^o 

[0 0 0 9] — &t-^fb->;=^^^^i*ffi'f~6 r t t)^^ 

X^^o Z(Di^?^'rJ^xn. ^y—^\^^y 

'A^^^\\L^-^\^mv.x^^\\L^f\^fz.^-^ 

nx^ 5. 

[0010] ^T(7)«ffl%73^-^^i: 9 1 

mn^-^^m-c-th-^x. ^m-c^<o^^\\L^-^ 
[0011] m<mMz. \\%m.^Mz.%'6^<D\ 
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5 ^tC^iffit^ — ^'If^v " Security measures in communica 
tionnetworks" (K. Presttun : SMoiit, 1 9 8 6^ 
me 0#^1^^6 3M-7 OH) [Cfa«lc$nTl^6o 

i$ffl#A--it^;h>5o feffl#A^c*3l^-r. i^ffi#Alc>t 

[0012] ^d^t^dtliim 9611411. \^ 
X.rj. ^^)S7feS4#t^aiiI#-^lg0 8/86691 2-^)' 

e:i(^. ni^^'Kn^{\L^x.xjmn.t\m7i^^m.^ic\^x\i^ 

f^^if^Km'^it^xt^mW'^Mi^xmm^n.m^a 
[0 0 13] 3^rcn4}^y.±(Dt^^(Dm{c^^^^m%^^ 

i.x\.^^m(Dm^co±x(D^—{zm'r^'^y^^ ^thtz^r 

[0014] 

i6XXfm2m^ (2a, 2b) iZfol^X^^—^ ^^^it^ 

m'r^mi^xxfm2t^m^- (Ka, Kb) 
:^mz^i^x. 1^7^ (2a, 2b) /^?-^is< ^ttx. mi 
^xrjm2^- (Ka, Kb) ^fett'r-5c m:^<D 
m^f)^hm<^tifzi±mx. m 1 :3fs xt^m 2 <om^<D^ 

(Kpa, Kpb) ^n^'tb. (RAN 

D) (D-^^^ ^thtzmUct LX. 7?)^o. tiIIBfE©.^ix/c 
^- (Ka. Kb) O 5 ^'^^IS'T^^^-*?: UX. ^^-r 
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^ztt. mi^^^- (Kpa) ^m^i^mi^^ (2 

a) \ZMm^^:itt. ^2^55)-^- (Kpb) ^m2^ 

^ (2b) {zm^{^Mm'r^ztt^Mcm'r^:it^^ 

[0 0 15] ^mm^-^. ^tc. ^±f^^-^it=^- K{::i?& 

rifritLmrj-^h^-^y hy-^^ilLT^ li^7N{:i:t.ill^tv 

[00161 ^/c. ^±fj:^^it^-- KtctzE 

or. iift^>5/ h i7-:^^iiurmii^^;a>^m2*^7^ 
l^^7^{c4ol^r. -^ov^-^ii. ^^-it^ti^o ^mm 

m2mm\c:^\^^x. §:iB^tirz^^^-tmm^thtz^ 

[GDI 7 1 ;*:^0J{^J:ttf^. ^^m^i. m<Dm 

5)'^-^S<i-'5C ^/.^ 2oC05S55^rBl(Dil{I;:j^e> 
[0018] il^co 2 0(D/< — 7^ (Dl^^ 3 0(Dy<'-'r 

^^^(Dtz^iz^ ^m\^xi^^^<—^-^ a. 

K^*^r# 6 J: 3 ic. ^(D^-(D-^:^i^ :^tirzy< 

[0 0 191 ^mmn. ftiM^tb-r'v^^/^ii^t-i^^v^^ 

(c*Dit5i^ffi{^/tUr^M.$^. ^fc. 1c:flt^^^m±'r 
i^-^ /\-^mmni^:^'rM.{Z^\^^X ((?'J;tii\ GSMv-^ 
J: 9 ^ct-fe/i-^-v^:^v^^(:i*5i^r) . ^fzn. m 

-^v :y^min'y^'rJ^\z^i^x^mx^^o 
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[0 0 2 0 ] 

#0e,Lr. —ffW^i^x^x^ z:i{zmM^ti^o 
mmi'^UT(Dm^O x;h^o Ulifi. :*:|gPJ^^(*^^b-r6 

HI 1 (Dm^Mmoy-^^jf^f&'T ^m^tm y - ^^o^miiim 

JO m^wt^^'Di:^7s^'ry'^ y^mx^^o m4a. rnKom- 

frk-ty^ y ^mxh^o (H6(i. m 5 (D'f— y^ ^ 

mi (ommmmic^^^x. mM\zx-z>x±f$.^ti^\^^- 
j^^wim^^i^mm-r^o msn. mMcomo <dwi^\^^ 
i^r. mi (o-u%:mfii-rhWiM(Dmm^mm^^i:^mm 
■r^o m9i-t. ^mm<DmiMmmm\^^^''x. m2(D 

mx^ho ^iof:i. miMMmm\^^y^^x. mi<om 

i^^mm\z^n ^^^it'T — '^ is X. xim ^(o'^kth^Tr^-t 
m,^ti^^^y^^ y-^mxh^o mi ifi. mi^^n^w^ 
^\.^x. m9<Dm^^(ommisxxf^^itmf^^micx 
^xmn^ti^^m^wtm^'^i^^^-rmtimx^^. mi 
2ix. miMmmm\^:^^'x. m3(DmMm(Dmi^(D^ 
m^wtm^'oizTsk-td^timxh^o mi sii. miM^n^ 
m^^^^x. m4(D^^'f—^^—:^m<DW)i¥(D^m^ 
wt^^^i^TT^-r^^timxh^o mi4n. miMMmmi^ 
30 ^5l^r. m9(Dm'§:^p^\z]!^m^fhtz.i]w?\^\^^^^i^^ 
— (SIM) (DmYf(o^m^Wi^t'^\^^-t'^t\^mxh 
60 iiii5fi. :^^m<om4%mmmx^m^Mz'$c'^ 
^(Dy.y'-i>^m.m^'^\^mm'r^'<kthmx^^. niie 

'T—i^^fT^-rmm^'^^^mx^^o mi i a. tcoxo^j: 

-t^mm^'^^j:mxh^o m i sisxx^m i 9 
(Dmsm^Mmi^^^^^x. mi s^oxxfmi 4(D^]^thm 
(omi'f^M^'t^'^thmx^^o m2iix. y^^m<Dm 

$^60 m22\x. m4%m^^m<oy'—^ ^'-:^m^\^^ 

'f:f^y^mxh^. 1112 3(1. m4%mr^^o:>i^-mm 

m^zTT^-r-f y ^ mxh^o (mi i(Dm^i2s^uxh 
6) m2 4a. m4mmMm\^'ij^^fz'^^^(omYf^WL 
^m^Tf^-tutx^mx^^o (mi 2<d%k^^^:^^x^ 

6) (§12 5(1. m4^5£?f^^{::tt^ofctifia^^t7)»^^(7)^ 

50 m^Wi^tfy\^7T^'^m.t\^mx^^o mi3<o%^^^^^u 
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lo 0 2 1] mi ^pm-r^t. z(DmmMmi:^v^^tL 
b t. Wii^m\Bi^mWiM4 a . 4 b, Act.mmmm 

K6a, 6b, 6c>:. M ^ — h 

— m 8a. 8 b .i: . :y h ^ - ^ 1 

0 a . 1 0 b . H^^sS&gtiimi^T^a^g 12a, 12 

b ^ LTl>5o 

[ 0 0 2 2 ] ftiMv^;=^7" h 8 a , 8b, 8 

c <^iiil^*^y- K6 a , 6b, 6 c t(Dm:S.^^^. 
t>\ y-K6a, 6 b , 6 c |R]±(7)ffiST^^f:i. ^-T^- 
/H 4 a , 14 b, 1 4 c ^J^#-r5l^ffiife±-<"-:^^- 
[0023]PSTN10a, 10b fl. ftSiJ^^lCI^, 

2 0a, 2 0 b t ^McM-r^o m^^^mm 12a, 1 

2 b fi. >^FjT/1 1 8a, 18b ^^i^X. mFJl^t^ 

^16 a, 1 6 b {c^^$nTi^6o mm^4 y^:^^^ 

irV^$?— 20a, 20b}l. h 7 -t" 9 •t'/l' y > 

2 1 mx.i^. mMv:^^t.fznmmyt'7r4^<^-y' 

/L'U>'^) ^^LT. SvM::1S^pTBgT^fc6c PSTN 
lOa, 10b J: U'H^l^^^e 12a, 12b {m 

[0 0 2 4 ] ^^mt^^mmn. {z(Dmmnmi^^\^^ 

X. ) ^ 2 fi^i^-^^/U^^ LT. tjM4 (^iim LTt> 
^^-^;twu^r -/:/y ^^^^i-^^/Wfi. ^■J;tfi* (^O^ 

^-^ti^mm2 2 8 8 9 1 3 xt^^mm'^i^mm 2 2 
9 3 7 2 5 -^dr^^F^tt-rt^^o z<DmMmm(Dmm4 
m^±WiMxh^ . m^. mm^^i:^. fc6®jM4^> 

b{&(DmM4^(D^'Wi)*-h^o 
[0 0 2 5 ] m^W}f^M2 

m2^^m't^t. m\(o^mi^Mmm.t^-7f^^thX\.^ 
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60 illS:t52a, 2 b ^(7:>l¥l*afl. fj^e.^ $ ttx^b^ ^-r. 
fz.'^^<D-^^ ^ ^:y3 Q . ^ K;^ fc:'-;^7 3 4 , ^< 

y7'y4 0, — yso/ K:^' — ^-^^ h 3 8 , ^MW\'& 
%^ (RF) ^ 3 2, r 3 1 

■r>>^/i-^-^V7^~^-^3 o^;^ilLri^^o ^? 

7^? -r) t.I^!te>tL5o ^iffl^it^B^fEtt-r^X-v-- h;;^7- 
K (S I M) 3 5 rj^-v-— h;i7 — Kj y — 

— 3 3 i^^Jt e^n^o 

[0 0 2 6 1 ^ — ^ /"r^ — ^ i.^—y'y^^ 3 0 fl. 

iSt:^':^ K V^ — ^VX. '^^3, 6 n t :y h/fj; 
fi. frF^^b^nfc fc:"^^ h;^ h y -i^^. 4. 8:^Pt:*:y 

20 y^^m\^—^ (MPLPc) ^frk-tn^mm^^'B'^m 
(CELP) t.fz.\tn^mwim'm^^mi^-^ 

(RE LP) o J: ^ /^,S?f^i^i'j=i-^T-^6<, rcDtetr 

{0 0 2 7] mm ^Mz^mm^^mn^ita. :/niy^n 

— K^fc(iBCH=J— K^A-f^ y — Ky t^^>' (Reed-S 
olomon) ^-^f-k-X^-^^^- V^fr\xm^^~ 

30 /i.^zn — yi'X^ t:''<?'— t'' (Viterbi) ^/tflVT^hi^^ 

:/nir:y-y-. ^/cfi. ^ p > h u — ^ . 
T^e/^/L-v-^J^^-^/uynir f- (DSP) y-y^t^h^Si^ 
=1 — ^3 0 (tm^'g':b^n6o 

[0 0 2 8] S I M3 5fi. b< fi. GSM«jSO 

2.17 r^pA#ilS'J^:^^-/l-J jb^ J:t>'ll. LT 

^fr^tL^o S I M3 5i3J:t>'y-i5^— 3 3fi. 

40 $T^L<(i. geSltf *ISO 7810, 7811. 7816I^Iftl^ ^ 
hb^^X^h. ^n^c7)|l[J^tf 2pio J:t>'GSM 02. 17, 1 
1. llf^. #BS{- J:oT;^0^*fflSt;ia^iA^n5c 

SIM3 5J1. ^n-t 3 5 a 
IStg^^3 5 b ^;^{lbri^'5o T^Dir :yi^3 5 a Ji. 

[0 0 2 9] •Hfe^^y- K6 

60 ^itlia^^y - K6 Ji. ID3{-^$tL6 J: t*5fe 
5^? (7)8jMiiil^^2 2^:ir«i-5o '^TMi1^^*^2 2 d-^?:^ 
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2 4--m-^^tt^^-r6R Fm;^Jt*i^2 6 a T 
l^^-rz 4;!)^b<f-^^Sm-t-6RFm;^ii*Stff2 6 b 

0>^xT U ;^»^o, (r :/7'-t- 2 4 >|:^ L 

4(7:)^T(7:>^iJl9^ii^'r6$yiSl^^:y h 2 8 i:?!?^^/^ 

[0 0 3 0] m^WiJ — K 6 fl. 

ir 4 2 ^ $ tb(^;irMi-6o ^®3iliM^-f :y ^V^^^ 

>->!^ 1 4{rit^$tL/:--t>:y hy-^>^'f:x^44^ 

Jrii-r^c 4 6 (1. :y^4 4 /Q^f^tT) 

a. ^tz. y- K6/5'^ii{turi^^tTM4{rj:o-r^^ 

^MlEltS3^g4 8 ^:^{iLri^5o 

[0 0 3 1 ] •-y- h i7:x.^ 8 
I114 ^#BS,-t- 6 ^^T*^— h — ^8 a , Sbfi. C CO 

©3 -fe / u ^ - ^ V- ;^ ^ i^ TM* ffl $ n 6 ^ ^ :/ ^ II 6^ i c 
^iJffl^tg^.^^S/3;^-r :y ^^^ir (MSG) ^MUm 

-r^o ^^—h^^ — ^Ba, 8 ha. Z(DmiZ^ PST 
NlOa, 10bc^5 h(0 1 -D^mfS.'T^mm^tii^i^iL 

<Dmm^t^m<D-^%:Mm-r^o psxNioa, lo 

[ 0 0 3 2 ] h — 8 fi. P S T N 1 0 5> 

A;OPSTNiS^. ^IJ^^P^^ :y h 7 2 (7:»^iJ^^i](OT-r% 1 

^/cii2a±coiifi£K^y- K6 tmm^titcm-m^- 
^M.m-r^o %m^=-y h 7 2fi. m^mm^=^y v 1 

[ 0 0 3 3 ] v~ h ^::^—ms {zn. h ^=^—m8 

^*§<^1^-t:';^<^^t&co^t$E<^^fE1gci-^fE1t^e7 6 

^^:tetlT^^6o "r-^n. WiM^-y h^^-^ ^mj& 

■r^ p s TN 1 o^tci-xmrnmy - K6 tJj^^.. m-^^^in 

=^=- y h 7 4^7'cfiX^ :yf^7 0 U Xgil ^ ^/c 
h 7 2 (cJ:oTl5ltSM7 6 {C^^iA^ 

>?^?^-f}Lgi^v^^^ (VLR) (oijmxmv^'t^o ®c 
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[ 0 0 3 4 ] HiMi/^^A^,^ 1 4 (1. :i(D'mmvt^m\z 
>^i4fi. ^?^L<{i. #ffl^-r-^6o 't(Dfz^. m 

14{i. ^/ h 17-^ 1 0 -.Oit^^^^/^^-^^wKOfH^ 

[ 0 0 3 5 ] •7='--'^-<— 1 5 

-^S'lElta^^S 4 ^{t-§-il^ftlll5S5 6«?:>^^^r';/i^58 

>:m-^i2lfl !J 6 0 > ^:i.ii-r6o :/nir:yii-5 8 

fi. Is-^i^mS^ 5 6 ^Sj:t>^lBtSa^^M5 4 

tLTl^^o 'ff^iim >'iJ^ 6 Qit. ^^-^-<-:^mi 5 

f.^f — ^^^ ^y±'-iymiB(D±l^(Di^(DX^^o 
20 [0 0 3 6] fSlta^m 5 4 fl. ^TCOi^JP A#i^7^i^m 2 

2(0'^^(D^M (il^T(r J: Df^^lc^^ti^o J: Tin 

- K> LT^^nxt^ (If J: 0?ftlic7:>7=' 

ti rSiifeJ h ^7:31-^8 <ir. 2 /6'^tl^M4 L 

SO Tiiff LTl^^^ffi^Sj/^ilii^^^y- K6 <i:-r'^6o t£ 

[0 0 3 7 ] m-^^m^^y b 5 6^XX/yu'\r y-^ o 

>r y^^titcmmxh^m^mm}) v-^ e o ^^ur. 

oiz. t^^. i^^2(DJd^M^xxy^'^m^^my- 
mM^rixi^^. m^. ^(ommmmxn. t^^-^-c- 

;^^15fi. G SMv^>^7^ ACOSifefi® i/v^;^^ (HL 
R) tGSMiyy^'rM^CO^^imU'^^'^- (A u C) t 

50 [0 0 3 8] •@tM4 
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fFttl^l^ 2 2 8 8 9 1 3 ^-izm^^tl^ ^ 0 ^ 
5o #t:''-A(l. ^Si|#rFttiii^2 2 9 3 7 2 5 -^T'lJfe 

[0 0 3 9] @I>14 Ji. i{iiSj^(7) + 5>^c^::i^ y T ^y^7>'>--t- 7^? 

^ttri^6o 1 O^T^fi 1 1 :i^Jl±0«M?5^ H 

fSg 10, 500^0;^ - h/vo) 4^rBlRff^©L^Il^{:i. 

:^'TMzm'r^m\\^yfmmo 3 e 5 a s 5-^^fc{i 
[0 0 4 0 1 m'^m^xrjiiLm 20 

~.:5t7/l-:3i T. :^fcfl. 5/ h ^7-^(7)- 

1 5 Otetti^g 5 4 l^{:libH^T. P^^3S-r6S^m2 ^d? 
(7) 7t (^^^ ^ 7t mm^n d IS ft $ 6 o 

[0 0 4 1 ] ^•9^i'h-]^tin(ofz.mz.mw^^t\^^^^. 

[0 0 4 2] iHft^^/cm^tl. 1 ^/t(i2i^±OtlfM 
1^^(7)^:1 4 J: oTt:'':y^r:y:/$tL6o 

K6^Dj:I>Mt-^il^ffiy 6 0 ^^M.T. 
[ 0 0 4 3 ] ^ Ur . ^-^-<— 1 50:/Dir>i^ 
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5 4F^{wfElt^ixeo ^®J^^^i^@2 >(7)iim{;i 
StilL?tm^4^^y - K6 (gp-^. r^^;b/^j ^) colt 

5 8;6^ i^7S2C0|S'lt$n7tfi^^^>=^C0j:i^^4^^y- K 
it>5lMl. ft:b59(C. %lt^^T t> J:V^o :L(0^^yVV 

su^^ii. mmiz. (mmMmo 4izio\.^x. ) ^^T^y^M 
{ r ^ -r 5 IE ^ { r IS tt ^ n 6 o 
[0 0 4 4 ] •P?(D^:^4B j:r>vu-^:/^ 
^«b^5^3^^2--(D. jBj:t>\ ^»j^7^3^m2^>e)OB? 

(D/u-^>i:f(Dm^ma. 5^s4#f^^r^2 295296-^ 

J:t>'P C T/G B 9 5/0 1 0 8 7 d^^dlEife 
$;h.Tl>-6c #0S{-j:o-r. 

^ > Hl^^^^mmiS^-^ h (PSTN) 

P^fl. mM^xi^^9Ji^j:mmm^ijY\^x. ^ur. 

[0 0 4 6 ] ^ifej$ffl#[:iS'J'9 

-ri-/u#-^Jl. ifMi^— t':^(:i#Jt) ^T^ih.fcHfei^^^- 
m^(D^^fj:mmm y - \<^^Tn^^m i tiiMu 

mi(D^mim^tmcxhoxhxi^) (om^j) 

t{zx<^xmrf^tiho 
[0 0 4 7 ] mm I mmmm 
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fl. RF'e^J^S 2{CXor. RFmm^ti. ^^o. 

;tJ^. S I M3 5 ^^^#t^^$;^6«|jt^-{:itzEofcA 5 
[0 0 4 8] -^LX. t:':y h:^ h y-i^(l. 

fl. (S: h u- h ^^i-T^'-y ^ 3 0a --^{M^^n^o 

[0049] '^^i:^P:7;4->'36 ISt^^?/ 
^ 3 0 a (1. r-:ha ^V-r'v^^/t-^^^^^:!: 
B^^(^li^'ati'7tat){::. ^-t ^wi^n— r^'^y ^ 3 0 b J: 

v-j^n. ^-^^t^- mn\B]^s 7 izx^x 

[ 0 0 5 0 ] m 1 0 —HI 1 2 ^#0Si-5 ^ ^ ilff OPt-^ 
^tlTt^-So 2ocr)^ffl#^^2 a , 2 b (Orair-Oil^S 

T. H 1 1 ^#0S-r6 ;=^7^:yy^l 002 {Cio^^T. 
lllf£-t-5^<— fi. :3r— K3 8 ;6^^(7)— igco:^ — 
/c:i6(;:>f^7r:<b LT:/Pir:yi^3 7 {:i X <>xm^^th^!^ 
m^-^tM'f'r^o tZEoT. IT^nir :y1f 3 7 fl. :^ "t^ :/ 

[0 0 5 1 ] m 1 2 1 . mtm e •r'}^. 

ri^o 1 0 4(;i4bHNT. ^(DiB-^^*-. S7^2 

a. 2 hiDrnm^^^-r^m^^- \'^t^{c. ^^f- 

Og{t?5^ mil y^l 0 0 2 \Zilto\^^X%^'1r 

6o 

[ 0 0 5 2 ] HI 1 3 ^#RS-r^ t . 't'l^v"'— ^?-<— 
Tfl. T'^^^^e/— If -^^^^7" ';/:7"l 2 0 2{cjoi>rS 
ll^n-So :^7"5/:^l 204 IC:Jol^T. y'—^^—:^m 
1 5 con > h d — ^ 5 SJi. ^ y 5 4 (wT ^irx 
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{b^-Ka^. m2^mm^2h\:Ln\^xm^^tifz.^ 

— Kht^U^\^-to y^y' yy^ \ 2 0 e>\:i^\^^X. 

hn-^5 8}l. m&.y^^y~^WL (RAND) ^^f$.-t 
6o ::c0^^teff^SgXii. ^-Ka. KbfJ:. ^tl^^tl. 1 
2 8 h02ittiT-fc!9 . 7&^0. ^^i/A^RAND 
(i. i^(D 1 2 8 t^ry h(7) 2ii¥iJ:Xfeao 

[0053] ;^f'.yy^l 208{:i:^ol^T. n^hn — ^ 
5 811. m 1 ^5>^-Kai^J:a'm2a5^:¥-Kpb^lt 

^-r^o iiia5:9'^-<7)t+^(i. mi 6{cmm^tix\.^ 

6o r(7:)f+®ji. 1 2 8 t^-/ h(50^o^;^ic^^il-r^o 

^(7) 1 2 8 f >> htO#t:':y hfl. ^2 5^^^— KaOx+ 
/Ji^-r^RMO b:> hir^V^AiScRANDirJ^t^ftHfi^tM 

Kpa=Ka+R AND 

(w:iT% -\-n2m(Di}uWt^i'^^^-t) 

[0 0 5 4] ^2^55^^— Kpbfl. jE?6{c:|r1 C:^?i-C% 

mh. mi eicfr^^ti^xvi^. ^ 1 i^T^^— Kb<^ ^ 
i^yj>^^KANDt(Dmxy:^y hm^<Dm\^^^&^M^m 

yy^l 2 1 0^w:fel/^■C. ^^"f—^^—^^mi 5fl. it 

"^mm^-y — 0 tm^ (omtm^ b, e a <^ti 

M4b. 4a>:^^LT. miWyf^- (Kpa) 1 
i^7^2 a l^liH^L. :?!>^o. %2^ih^- (Kpb) 1 
^^2 b (rim-r^o 
[ 0 0 5 5 ] r — v^Xfl. €-f!i!^"ii7:>^^^^-fl. 
^>-^i^$^RAND<^C0 2il;^}PSj^f'^{-J:oX rjfJLj 
^f\.X\i^^a 2OC0^^^ Vi$^A^R AND ^SSSt^ 

^— ) 7:?^#SE-r^i7)-r% ^^^—(D^-h(Di-:>^m.u\^ 
xi.^^t^'^ ^nx\^^f£i^^m^n. ^(DU^^^-n^hm 

[0056] c::t% mi 2 ^^m-t^ t . y^=r yyfi 

y.'ryy^l 1 0 8{Ciol^T. ^c7)SiS5>^~ ^^i^J^ 
mi 1 ^#Be-r6<i:. ;^ -7^ 5^:7^1 o o A\^^ 

l^T. ^^(O^M)^^ (2 a, 2 b) fi. /^/S-r6aS5> 
(Kpa, Kpb) ^^m-t^o ;^7=- :y:7^1 0 0 6 
W^^-k^. Ky -^-3 3 <lr^M.-r. SI 
M3 5--ilim^;h.€)o 

[0 0 5 7 ] Hf 1 4 (t. XX 302 

^^l^T. S I Mil. ^bT. ys=r 

y-:fl AXC^yi-^X. SIMJl. ^^y35bl^?5^6 

iffl*^-^i^t?o ;^xi/>^i 3 0 6{e::^oi^r. sim:7' 

nir 3 5 a Jl. fr U V W 2 8 t^' :y h0 2ii^^^^ 
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KR=Kpa 

= Ka+ (RAND) -Ka 
= (RAND) 

r-*:)6:^- KKR^f+^i-6o ^•x:y 3 0 8 {::ioV^ 
T. SIM35fl. KR= (RAND) FIJ — 

■^-it^-t Lxmm^ti^o 

[0 0 5 8] iRliti;!. m 2 ^^7^ 2 b T'fi. i^^*?:) S I M 
P^d^Sl^T. IEtt$tLri^'5iSK b 75^^2 35^:^ — Kpb 

KR= Kpb-Kb 

= K b + (RAND) -Kb 

= (RAND) 

{CctoT. KR= (RAND) (Dmf)^^B-YW ^ ti^o Wi 

#i^^2a. 2b(i. m-(D^^-it^-K^= (R 
AND) ^f+^i-6o 
[ 0 0 5 9 ] [211 1 {CMor#0S-t-5 Xv^yy^l 0 
0 8{^:^H^r. i^^:7'Dir 3 7(1. Sf^^b^^-KR 
^SIt-r6o ^UT. 7sy^y:f\ 0 1 0(Cjol>T. 

1012T-fi. TT^Dir :yi^ 3 7 f^. R F '^1^*5 J: r/iUft 
(Ofiftz. X :y ^ 3 0 Ti^^tO t:- :y h h U — A^Pt-^ 

{b-r^ct^lcHt^L. J^^-o. R F-^ev^^i^ 3 2;6^e>(7)^fS 
-r-S h y — A^n— 3 0-^ KR^ 

't^X.o {:itttgi-6c Bt-^^l:=3^-KR^tLg#7^i^£'^/^ 

cor-. Bf^^tr y ^I'y Xjuti. ^^;?^^-/.^5iiL^lT y y 

5 A 5 T y :=^'y Xi^rfc ^ . ^^o. ±f£#BS$ixeGS 

[0 0 6 0] *$c{3:. mm-r^t. m\ OCi^^tt^ J: 9 

tbfcS I M3 SF^d. ^fcfi. 'f'^T'— ^-<-^^ 1 5 

(RAND) (Dm%!iX^ho ::<7)^>-^-<— 1 5 
(RAND) ^Mz.W^^X 
mh. a55^:^-Kpa. KpbT-) . m^2a, 2h^jif 

[0 0 6 1 ] i^^^-^-^:^-^ $t^?tJF^striim-r^ w 
SIg#;*'-^«5fe=^---ri5^-fex-re r <i:€: (5^511: -r 
6o ^ir:yi/3 >'^{'^fC:foNt 6 ^ ^'^{b ^ ^ ^ 
in^. Miia^^^^^^^^ (RAND) (OiggELT 
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t\ 

[ 0 0 6 2 ] mm2mmmm 

JO ^ti^ X 0 ic^ m 1 3 (Dy^^r 1 2 0 4 1 2 I 0 f}*^ 

[0 0 6 3] ttfot. X^:y:/l 2 0 2(7^f^{:i. :/p-tr 
:yi^5 8{i. ft?;)t:i. 5/ 1 4 0 4 diol ^X . HI 
m^^-Y.a\nTP'^7.\^^ ^LT. (:^X5/:7^12 0 
6{;i^LTfEilc^ttfc:J:9(c) ;^7^5/:/i 4 0 6 (ribH^ 

X. ^^i^*A/^g:^ft^U. -^Ur. (;^7^ :y:7^1 2 0 
8(cr^LriS«c$n;tJ:p{:i) yf \ A ^ ^\z.io\.^ 
20 r. m 1 aS^J-^-Kpa^f+g ^LT. (;^7^5/y^l 
2 1 0(crJLXlE®$:h.fcJ: S){;i) ;=^7^:y>^l 4 1 0{C 

[0 0 6 4] ^nh(Dmm<Dm. Ka^XXlKpa(D±X 

7" 5/:7^l 4 1 4 {rioi>x. T'Dir 5 8 li. m2i^^ 

:^r— K b {r:r ^ir;^ L. H 2 Kpb^ff ^ L (^ 

7^^/:/14 16) . ||2aS5>^-^ill'9 (X-7^:yy^l4 
18) . H2g|S^^-joJ:tJ«H2^^^"^?N*-r^ 
(;^7^:yn 4 2 0) , ©CiC. ^ (T^^iSff^^Xfl. 2o 

X^gi^ixT^D^. y-'^^-:^mi o(D^m^XXf^ 

[ 0 0 6 5 ] 200^5)^^-*^ J:t//^f'fli^^^--- 
(T^r^ir^d. ft^(7:):^ri (i?y;t(:f. 2 oiz^i^^^^ — 

-g^tPii:'5fc&!)<7>^^(Di^^--^>i$^ix^^i^6:^^) X* 

5>^t^fL^#^o mcy'^yj^wc^2-o(D^f£^mm^m 

40 e>tL6o 2oOi^7^^-fi. 2oOS>:?6fi^(:ijll 
2o(7:)iS7fear-jo J:t>V^/c^i^5>^- 
[0 0 6 6] mm3m:mmm 

- t''y^(7:)rFpT$tL7tftil(7:'{£ffl*) /^^Pt-^^^SrX# 6(0 
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" :^ O @ ^ SIS^J- frt 6 if S L T T I ^ -5 O 

[0 0 6 7]tt§oX. Z.<r:>%m^^^.-^\^^ SIM35 

:y y 1 2 0 9 O^^ic J:oT. ^M^tiXl^^o ^ :y 

[0 0 6 8 ] mi 9 ^^m-r^t. r o^5Sff^^.^^ibH^ 

^i^T^-ejl. S I M>^oir -yi^ 3 5 a fi. :y 

i 304<h;^-7" 306 t <of^(O^M(D :^'t ^y:f 1 
3 0 5 ^UtT-r^o 305{:i*5l/>r. S ^ 

10 0 6 9] mm4^mnm 

fSjS'Jt^liE {:^'ryy2 0 0 2) 
^'l^-^ >'^ — :7 a. — ;^0t-^il:: :y >^ 2 0 0 4 ) 

^^5fe+iSBt-^^b (;^7^:y:r2 0 0 6) 
[0 0 7 0] fttoO 2oOy^x >y m.W-t^G SM 

m§:^y"^± :y'^ 3 7:^oJ:0S I M3 5 {wi:oTll 

(DSP) mmi^x^xmn^tin^o 
mmmxn. mmizit. i-z>(o^(D^of^'y'^^y^^m. 

S;65S AN3 5 F^CH^ffii" 6 tt "Cfe 5o 

[0 0 7 1 ] m 2 1 ^#0S-t-6 T>^^-^ 3 1 T^J-^S 
m^tt. Ti^o. R F^v=^A 3 2 d J:oXmE^^ttfcif ^ 
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fi. ^ 1 Bt-^<l:/^iS^^->^3 7 2 <i:m2 0t-^{b/ft? 

i^x7^->?3 7 4 ^^iioTiiif^n^o mi^-^itym 

gtXT" — S^3 7 2 (1. ^cf'-t' >^ — — ^^-^^b^ — 

Kcidti^oTG sivit!)^^^ ^tb^ A s r y :=f y X A^ig 

v^3 7 4{l. i^^teS0t^^b^-Ka, b{;itA^oT^i%-r 

-5^2»^r y r^^y Xju^iiffl-r^J: 9 {:iffl:t^tL-ri^ 
60 ii2»rLr y :n'y xAfi. ni^. gs 

JO 5 T y =i'y XA-e$)6o ^^7:^^. ^it^nfc t:':y h h 
y— Afl. =:i — v'y^3 0{cm^:^^ti^o ^^i^. 

^ 3 0 t^y h h y — -^(is 2 0(7)Bt-^ 

{t;X^^:^7^->^3 7 2, 3 7 4 ^ig(7:)|li#T*ii o TiH 

[0 0 7 2] SIMS 5P^ICfi. ^^^-lEttL^-:^^:^ 
3 5 2 ^iiag^tbTl^-So ^^^-IEltl^v^;=^^ 3 5 2 

M-r^Ka) ^lEtt-r^o ti^m^-mti^i^^^ 352 

3 5 4 (c:^^^:ixTl^6o f+^>^ 7^ - 3 5 4 (1. 

A 3 T y r^'y XjMrtl^oTi^^^!tS'J1^fiE-r6/c:ft6{-i^ 

ffl^^^ rs-^s $n7t;£^j ^ (sres) ^i+s^-re 

J: 5 l-ffi^^ixri^5o A 3T y =i^y XAJi. ±ij^$;a 
tzG SMm^^^UM^tiXiS^ ^ ;5^o. GSMi/;^7^A 
TMSffl^tL^o )S^ff»;^7^->^3 5 4f:i. ^/c. ;^ - 
Ky — i^M3 3 R F ^"7^^^ 3 2 /^^ e> tT^'Bt 

m (RANDi) ^Sim-r^r-^iz. S'^^^^rt^^o 

30 [0 0 7 3] t^^^-i^i>:^^ 3 5 2 fi. ^fc. 

— Ka^m^^-t^fri^iZ^ mi ^~-±J^^'r — i> 3 o 6 
{Z^m^thX\^^^o mi^-^f^^'r-i^S 5 6i^. ^ 
/c. (RANDI) ^^{tL. tIj^o. AST 

y rfy XAdt^^oT ^ VX-^^^ (RANDI) T^^^^'f' 

^nxi^^o A 8 T y =i'y x^fi. ±fEG sMftj^icie 

tc$tLT*s«9. Ti^o. G SMC/;^7^i^T-iiffl ^n^o 
OJ: 9 CI LTf+®:^t^fc^-^i. ~ K y - X-^^g 3 
3^^L-t. ^^^Xt^ir >>i^ 3 7(Dmi (^"^^v-^ — 

[0 0 7 4] i^^^— Uv?;^^ 3 5 2 fl. ^/r. t^^^ 

m^tiX\.>^o m2^-±f$,y^'r-iy3o8it. 

-KELtu^^-Kpat^mm-r^ (^immmrnxm. 

-i^ 3 7 2(omWv^thfc\^f3n^h (y^7- Ky -x-i^g 

50 3 3 ^:^^L-C) Sft-T 5 fci^JJCl. SM^tuTl^^o ^1 
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[0 0 7 5 ] 112 2^^m-t^t. ^*-r-^-<-X^ 

2 ^lEtey^ms 4 <i:^-:t^^7^-v^5 8 4 ^1^^!+^ 
;^7^-v^5 8 6 <h ^AM-r^o ^ V-^i^^^^^^S 8 2 

f^. mm(Dmi^. mrf^commx-mtcf^ 2 m 1 2 s t >y 

hie (RANDi) ^±^-re<]: ^(ilffl^t^nrt^^o 

IE'tt^M5 4(^. i^T^^-Ki^lEtt-reo ^-^f^^ JO 
7"-v^5 8 4Jl. iStt^g 5 4 /^;^^tO)^^=5r— <^ ^ 

(RANDI) ^^SmL. Zi-O. A8TU:3-'!JX 
AdtiloT. Z(Dt^^^-iSXU^y:yi$^M.^ (RAND 
1) 7}^h. -^^^ iy^--7 ^-':^^^-\t^-¥.c^t\n 
-t^f^i^\^mm^rhX\.^^. A 8 r y XjUfl. GS 

MSij^iciEit^tir^o . ;;5^o. g s mv-;=^7^-a T^ii^ffl 
tyi^yj^Wi (RANDi) t^^m-r^tL^\^^m.^ 

%X (SRES) ^f+^-r^ J: 5) (:iffl:t $^Tl^'5o A3 20 

[ 0 0 7 6 ] ^>'yASife^;^7^-i^5 8 2 <^^^;J;^ 
^t^;^^-v^5 8 6 t^-±f&:^T-'Jo 8 4 ^tcofctJ:^ 

— ^-< — ;^ 4 8 [^{d, ) 3iiUv^>^^ 4 8 2 ^ Sril-t- 

mn. ^n^'ti. m'^mm'j 6 o^iiYi^x^^-^^ so 

[0 0 7 7] ^i^]5^7^2^^ii^5*^6^^^-r'5g(:i. il^ 
S^^il. 3i$(7)^iJ!)*J6 6:rt/c^cO (q^^x — ^ 

o. ^tL^t^om^. jf-^ii^fty 6 o^^ur. 

4 8 2 -r-0|Et6^7)fc&!>{-illiti~^o itt:5^2 8 2 t> 

^jt. ^mm6i^{zm^'fhrLX\.^h. itK^2 8 2fi. 

3igl/v^;^^ 4 8 2 {^T^-g^^tV. /^J^o. i^^^m6 (D^^ 

^ > <^ ~ y - :^mf$.mm 2 4, 2 6 {-^^^rLX\^^ 

-60 ltt:e^2 8 2(i. 5^»3iSfi^2;6^^Sis$tu61^:^$ 
tbfcfS^ (SRES) Uv?;^>5^ 4 8 2 fc:fE®$;n. 

7tS^ $ti/c:S*^^a:lt»L. ;i>^o. 2 o fp^ ii ft 

60 t^u. 2o(7)is;5^-aL?:^i^?:^ 
[0 0 7 8] mmmea. ^*-r >'^-:7:n- 5^ 
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XBt-^^l::;=^v^-v^2 8 4^:^{ii-'5o 

— y^fH^-^it^^r' — i^ 284 (1. (G SM^^h^htl^) 

-v^2 8 4fl. :n-^^^y^5 0 (US) ^ c7) A;^ ^ S: 

2 4, 2 6(:i|g-r6o tz^^-. mB(D:^\^xn. Pt-^ 

itXm^^'r — i^ 2 8 4n. — y :^ — ^MfA 

^1^2 4. 2 e^^h^coAJi^Siini^. "tcothtj 
[0 0 7 9] C(^^JSJf^Sit?>®jft(i. cr:T% ^24- 
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1 Title of Invention 

Communication Security 

2 Claims 

1. A method of di^ributing throu^ a communications network, 
enciphering key data to be used in encrypting and decrypting data at first and 
second terminals (2,, 2j) so as to provide secure data transmission between the 
terminals through the network, the terminals each storing corresponding first 
and second terminal kejrs , the method comprising: 

storing the first and seoond keys (K»^ K|} remotely of the terminals (2^ 

generating at a location remote from both of the terminals* first and 
second separate partial keys (fS^ Kpt) each as a masked function of a common 
number (RAND) and a corresponding one of said scored keys (K,, Ki); 

dispatchii^ the first partial (Kp^ separately towards the first 
terminal (2^; and 

separately dispatching the second partial key QS^^^ towards the second 
terminal (2|). 
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2, A method according to daim 1 wterein the enciphering key data is to 
be used for encrypting and decr>'ptmg data at said first and second terminals 
(2,, 2^ and at least one further terminal (2j so as to provide security for . 
concurrent data transmissions between all of said terminals (2,, 2t„ 2j through 
the network, the method further iiicluding: 

storing a further key (KJ remotely of the temiinals (2», 2j 
corresponding to the terminal key of the further terminal {2^; 

generating a further partial key (K^J as a laasked fooction of the 
common number (RAND) and said remotely stored further key (K^; and 

dispatching the further partial hey (KpJ towards the further tenmnal 

(U 

3. A method according to daim 2 including causing the further terminal 
to join in data transmission between the terminals whilst said trajosniission is 
in progress^ including transmitting to the further terminal* timing data 
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concerning the data transmission between the tcrmtnals. 

4. A method according to any preceding claim including generating said 
partial keys with said common number ptAND) only for a predetermined 

J group (CUG) of said terminals (2) to provide for secure communication 
between the terminals of the group. 

5. A method of setting up a first terminal (2J that stores an individual 
terminal key (K), to encrypt data to be transmitted according to a secure 
encryption code (Kn) through a communications network to a second terminal 
(2b) where the data IS to be decrypted^ comprising: 

receiving at the first terminal a partial key (K^J <iispatchcd thereto 
through the network from a remote location, the partial key being a masked 
function of the individual terminal key (Kj and a number (RAND) for 
determining the encryption code; and 

comparing at the terminal (Zjche received partial key (K^J and the 
stared key (Ey so as to provide the encryption code (K^, 

^. A method according to claim 5 including encrypting data at the first 
20 terminal (2j according to the encryption code (K^), and transmitting the 
encrypted data towards the second terminal through the network. 

7. A method of setting up a second terminal that stores an individual 
ternunal key (KtJ, to decrypt data transmitred thereto according to a secure 
.25 encryption code through a communications network from a first terminal 
where the data b encrypted, comprising: 

receiving at the second terminal a partial key (K^ dispatched thereto 
through the network from a renMte location, the partial key being a masked 
funaion of the individual terminal key (K^ and a number (RAND) for 
so determining the codej and 

comparing at the terminal the received partial key (Kpi) and the stored 
«o as to provide data (Kj) for decrypting data transmitted from the 
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first terminal and encr>'pted according to the encryption code (Kr}- 

8- A method according to claim 7 incKiding decry'piing data at the second 
terininaiy transmitted thereto from the first terminal and encrypted according 
5 to the encryption code (Kp). 

9. A nsethod according to any preceding daim wherein the. or each said 
partial key (JS^, K^ai ) « transmitted to the terminals (2,, 2^^ 2j over the 
air interfece of a mobile commnnications system. 

20 

10. A method according to daim 9 including additionally encrypting data 
transmitted over the air interface. 

11. A method according to claim 10 including performing the additional 
ij encryption at each said tenninal with the terminal key of the respective 

terminal and a predetermined algorithm. 

12. Apparatus (15) for distributing Ehrough a communications network, 
enciphering key data to be \ised in encrypting and decrypting data at first and 

20 second terminals (2^ 2|) so as to provide secure data transmission between the 
terminals through the network, the terminals each storing corresponding first 
and second terminal keys (KL^ K^, comprising: 

a data store disposed remotely of the terminals (2„ 2^, storing first and 
second terminal , keys (K», corresponding to the terminal keys scored by 
35 the terminals respectively; 

means for generating a number (RAND)j 

means for generating first and second separate partial keys (K^ Kp|} 
each as a masked function of the number (RAND) and a corresponding one of 
said kejrs (K,, K^) held in the store; and 
X dispatching means operative to dispatch the first partial key (KpJ 

towards the first terminal (2J and the second partial key (K^ separately 
towards the second terminal (2|,). 
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13. A terminal (2^ 2(>, 2j for comimnicatmg through a communication 
network "with at least one further terminal, comprising 

means to receive a store (SIM) that scores an individual terminal key 

> a key generator (35a) to recetre from the network a partial key (K^J 

comprising a masked function of the individual terminal key (fQ and number 
(RAND) transmitted in conunon co said least one fuither terminal, and 
operative to compare the individual key stored in the store (SIM) with said 
panial key so as produce an encrypcioji code (Kk) as a function of said 
w number ^AND); and 

enciphering means (37) operative to encipher data trammitted through 
the network in accordance with the encryption code (I^r)- 

14. A terminal according to claim 13 induding user operable means (38) 
for seleccively initiating operation of the enciphering means. 

15- A terminal according to claim 13 or 14 operative to transmit and 
receive daca in different channels through the network, wherein the 
enciphering means (37) is operative to encipher data transmitted through the 
30 network in accordance with a first said encryption code (K^), and including 
deciphering means (37) operacrve to decipher data received through the 
network in accordance with a second, different said enciypiiDn code (Kg). . 
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3 Detailed Description of r n v e n t ion 
Field of the invention 

This invention relates to a method and apparatus for providing secure 
communication through a communications network. 

Background 

Digital mobile voice communications sjstems are well known and one 
example is the GSM terrestrial cellnlar system. Others are the Inmarsat-M 
satellite telephone system, the IRIDIUM ™ satellite cellular system described 
in, for example, EP-A-03658S5, the ICO ™ satellite cellular system described 
in, for example, GB-A-2295296 or the ODYSSEY ™ satellite cellular system 
described in, for example EP-A-0510789. Since suck sjstjcms operate over a 
wireless link, there is a risk of interception of calls by unauthorised persons. 

The GSM system includes an optional encryption scheme described in, for 
example, "Security aspects and the iaaplenicntatjon In the GSM-^scem"; Peter 
CJ. van der Arend, paper 4a, Conference Proceedings of the Digital Cellular 
Radio Conference (DCRC), October 12tli44th published by Deutsche 

Bundespost, France Telecom and Femuniversitate. Greater detail is given in 
the following GSM recommendations; GSM OZ09 "Security Aspects 
GSM03,20 "Security Related Algorithms". In this scheme, a database known as 
the Authentication Centre (AuC) holds an individual encryption key number 
{]Q for each subscriber to the authentication service, which is abo stoned on a 
chip known as the Subscriber Information Module (SIM) held in the 
sttbsciiber's mobile tcnninal. The sobsciiber has no access to the data stored 
in the SIM and cannot read the key. 

Where a secure session is requested, a random number (RAND) is generaed 
by the AuC and used, together with the customer's key (Kj), to calculate a 
ciphering key (K^ used during the session for dphering and deciphering 
messages to/from the subscriber. The random number is sent from the AuC 
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to the subscriber'* mobile terminal via the Base Transceiver Station (BTS). 
The mobile terminal passes the random number to the SIM, which calculates 
the ciphering key using an algorithm termed A5» from the received 
random number and the stored key Thus, the random number is sent 
s over the air, but not the customer's key K; or the ciphering key K^. 

The random number and the ciphering key are fed to the Home Location 
Register (HLR) database of the GSM network, which stores details for the 
subscriber concerned, and arc also sent to the Visitii^ Location Register 
ro (VLR) for the area where the U5cr terminal is currently located, and are 

supplied to the BTS via which the mobile is communicating to the network. 

The ciphering key K^is used» together with the current TDMA frame 
number,to implement the A5 ciphering algorithm in both the mobile terminal 
IS and the BTS so that data transmined over the air interface between the mobile 
terminal and the BTS is encrypted Thus, the individual user key K| is stored 
only at the authentication centre and the S1M» where the ciphering key is 
calculated and forwarded to the BTS and the mobile terxninal. 

3o Whilst this scheme is adequate in many respects, it fails to provide complete 
security since it offers protection only over the air transmission path. Thus, it 
. is possible for illicit access to be obtained by tampering with the fixed part of 
the network. 

25 Accordingly, end-to-end enoyption scfaemes have been proposed. Because the 
encryption runs from one user terminal to the. other, across the whole 
conununications path and not just the air path, improved privacy is obtained* 

The basic problem in offering end-to-end enciphcrmcnt of comxmmications 
JO over a netwoik is in providing each of the two users with the same» or each 
other's, secret key. In some applications, a group of terminals (for example all 
owned by a single body) may all have access to the same key. Whilst this 
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provides privacy against personnel from outside the groups it is an incomplete 
solution since it docs not provide privaq^ for communication between two 
terminals within the group and a third within the group. 

5 It is possible to employ public key encryption systems^ in which each 

tenninal has a secret decryption key and a non-secret encryption key, so that 
any other party can use the encryption key to encrypt, data but only the 
recipient can decrypt data which has been encrypted using the public 
encryption key, 

20 

A communication syscenn could be envisaged in whidi every user is provided 
with such a pair of keys, and in setting up a comnninication between a pair of 
users each sends the other its encryption key whilst keeping its decryption 
key secret. However, there is widespread public concern that the use of such 
IS techniques on a telecommunications network would allow criminals or 

terrorists to communicate using completely secure communications, free from 
any possibility of supervision. 

It has been proposed to hold the kejrs in a remote ''trusted third party" 
2P database. An example of such an arrangement is described In 'Security 
measures in communication networks**, K. Presttun, Electrical 
Conununication, 1986» Vol 60, No. 1 pp 63-70. The keys for two users (user 
A and user B) are distributed from a remote key distribution centre as a 
common, masked message^ which is firstly sent to user A, where the key for 
If user A is stripped out, and then from user A to user B, to provide the key to 
user B. 

In onr GB 96 11411.1 (W corresponding USSN 08/866 912 ) there is 
described an end-co-end encryption and decryption scheme in which the 
30 terminal keys that are stored in the terminals, arc held additionally in a 
remote "trusted third party"* database. In order to set up an encrypted 
transmission between a first and a second terminal, each of them is provided 
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from tke remote location with a partial key which contains masked data 
concerning the key of the other terminal, derived from the stored data in the 
database- As a resLtlt> both terminals can be prov^idcd with data that in 
combination with their own key stored at the terminal* enables them each to 
5 set up a common secret code which can be used for end to end encr^^ition 
and decryption through die network. 

A difficulty with the prior references "trust third pajx)r" databases arises when 
it is desired to set up secure conference calls between three or more terminals. 

io Each tenuinal needs to be provided with masked data oonoeming all the keys 
of the other terminals participating in the conference call so thai they can 
each establish a common code, with the result that the partial keys and the 
final encryption code become long and cumbersome in dependence upon the 
number of paiticipants. Also the risk of the code bcii^ ascertained by 

js earvesdropping, from the long partial key^, is increased. 

Summary of the invention 

The presem invention provides a solution to these problems. The invention 
provides a method of distributing through a communications network, 

20 enciphering key data to be used in encrypting and decrypting data at first and 
second terminals so as to provide secure data transmission between the 
. terminals through the network, the terminals each storing corresponding first 
and second termini keys, the method comprising: storing the first and second 
keys remotely of the cerminais} gienerating at a location remote from both of 

2> the terminals, first and second separate partial keys each as a ma^ed function 
of a common munbcr and a corresponding one of said se p arately stored keys; 
dispatching the fint partial key separately towards the first terminal; and 
separately dispatchir^ the second partial key separately towards die second 
terminal. 

JO 

The invention also provides a method of setting up a first terminal that stores 
an individual terminal key, to encrypt data to be transmitted according to a 
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secure encryption code through a communications network to second tenninal 
where the data is to be decrypted, conapnsing receiving at the first terminal a 
partial key dispatched thereto throu^ the network from a remote location, 
the partial key being a masked function of the individual tenninal key and a 
5 number for detemumng the encryptioa code, and comparing at ibe tenninal 
the received partial key and the stored key so as to provide the encryption 
code. 

The invention also extends to a method of setting up a second tenninal that 
10 stores an individual terminal key, to decrypt data transmitted thereto 

according to a secure encryption code through a oomznunications network 
from a first terminal where the data is encrypted^ comprising receiving at the 
second terminal a partial key dUpatched thereto through the network from a 
remote location, the partial key being a masked function of the individual 
I) tenninal key and a number for determining the code^ and comparing at the 
second tenninal the received partial key and the stored key so as to provide 
data for decrypting the code. 

Thus in accordance with the invcotion, each terminal is provided with a 
20 partial key fiom the remote location that includes masked data concerning the 
terminal key of the terminal itself, without the need for key of the other 
terminal, so that the protocol can readily be expanded from commxinications 
between two terminals, to large numbers of terminals in conference calls 
without lengthening the paitid keys. 

One or more additional terminals may join in a call whilst it is in progress, 
either to expand a norma] two party call into a three party conference call or 
to increase the number of parties in a conference call. To this end, the joining 
. pany is sent a masked version of its key so that it can determine the code, 
30 together with the frame number for the data transmission that is going on 
between the parties* so that the joining parry can join in the transmitted data 
flow . 
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The iavention Is envisaged for use in satellite mobile digital communications 
syscemSj and is also useful in corresponding terrestrial digital mobile 
communication sy seems (e.g. in cellular systems such as the GSM system), or 
in fixed link conrmiunication systems. The invention may also be practised in 
s store-and-forward communication systems such as e-mail or the Internet. 

Brief description of the drawings 

Embodiments of the invention will nov be described, by way of example 

only, with reference to the accompanying drawings^ in which: 
J7 Figure 1 is a block diagram showing schematically the elements of a 

communication system embodying the present invention; 

Figure 2 is a block diagram showing schematically the elements of mobile 

terminal equipment suitable for use with the present invention; 

Figure 3 is a block diagram showing schematically the elements of an Earth 
If station node forming pan of the embodiment of Figure 1; 

Figure 4 is a blodc diagram showing schematically the elements of a gateway 

station forming pare of the embodiment of Figure 1; 

Figure S is a block diagram showing schematically the elements of a database 
station forming part of the embodiment of F^ure 1; 
20 Figure ^ illustrates the contents of a store forming part of the database station 
of Figure 5; 

. Figure 7a illustrates schematically the beams produced by a satellite in the 
embodiment of Figure 1; 

Figure 7b illustrates scbematically the disposition of satellites forming part of 

2^ Figure 1 in orbits around the earth; 

Figure 8 is a block diagram showing the signal flow between components of 
the handset of Figure 2 in a first embodiment of the inventioi^ 
Figure 9 is a schematic block diagram showing the flow of encryption data 
and signals between the components of Figure 1 in the first embodiment; 

JO Figure 10 is a flow diagram showing schematically the process performed by 
the control and enciphering components of the handset of Figure 8 in the first 
embodimerit; 
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Figure 11 b a flow diagram showing schematically the process of operation of 
the earth station of Figure 3 in the first embodiment. 

Figure 12 is a flow diagnun showing schematically the process of operation of 
the centra] database station of Rgure 4 in the first embodiment; 
> Figure 13 is a flow diagram showing schematically the process of operation of 
a subscriber information module (SIM) held within the handset ol Figure 8 in 
the first embodiment; 

Figure 14 is a flow diagram illustrating schematically the stages of security 

provided in a fourth embodiment of the invention; 
10 F^ure 13 is a an illustrative diagram showing the stages of formation of the 

enciphering key by a first handset terminal of Figure 85 and 

Figure 16 is a corresponding illustrative diagram showing the process of 

formation of the enciphering key at a second such handset; 

Figures 17a and b is a flow digram modifying the operation of that of Figures 
ts 12 and 13 in the third embodiment of the invention; 

Figure 19a is a block diagram showing schematically some of the functional 

elements present in the handset of Figure 8 according to the fotuth 

embodiment of the invention; 

Figure 19b is a block diagram showing schematically some of the functional 
20 elements present in the database station of the fourth embodiment, 

Figure 19c is a block dis^ram showing schematically some of the funaional 

elements present in the earth station of the fourth embodiment; 

F^re 20 incorporating parts of Figure 10) is a flow diagram showing 

schematically the operation of a handset according to the fourth embodiment; 
27 Figure 21 (incorporating parts of Figure 11) is a flow diagram showing 

schematically the process of operation of an earth station according to the 

fourth embodiment; 

Figure 22 (incorporating pans of Figure 12) is a flow diagram showing 
schematically the operation of a database station according to the fourth 
JO embodiment; 

Figure 23 (incorporating parts of Figure 13) is a flow diagram showing 
schematically the operation of a subscriber information module according to 



(34) 



10-200521 



- 13 - 

the fourth embodimem; and 

Figure 24 illustrates how embodiments of the invention can be used for 
conference calls with more than two user terminals. 

9 Detailed description 

Referring to Figure 1, a satellite communications network according to this 
embodiment comprises mobile user terminal equipment 2a, 2b; orbiting relay 
satellites 4a, 4b, 4q satellite earth scation nodes 6a, 6b, 6c; sateUice system 
gateway stations So, Sb; public switched telecommunications networks 

19 10a,10b; and fixed telecommunications terminal equipment 12a»l2b: 

Interconnecting the satellite system gateways 8a, Sb, 8c with the earth station 
nodes 6a, 6b, 6c and interconnecting the nodes 6a, 6b, 6c with each other, is a 
dedicated ground-based network comprising channels 14a,l4b,14c The 
satellites 4, earth stacion nodes 6 and lines 14 make up the infrastructure of 
the satellite commuxiicarions network, for communication with the mobile 
terminals 2, and accessible through the gateway stations 8. 

A tenninal location database station 15 is connected, via a signalling link 60 

20 (&g.withiii the channels 14 of the dedicated network) to the gateway station 
and earth stations 6. 

The PSTNs 10a, 10b comprise, typically, local exchai^s 16a, 16b to which 
the fixed terminal equipment 12a, 12b is connected via local loops 18a, 18b; 
2j and international switching centres 20a, 20b connectable one to another via 
transnational links 21 (for example, satellite links or subsea optical fibre cable 
links). The PSTNs lOa, 10b and fixed terminal e<{uipment 12a, 12b (e.g 
telephone instruments) are well known and almost universally available today* 

Each mobile terminal apparatus is in conmnmication with a satellite 4 via a 
full duplex channel ^ this embodiment) comprising a down link channel and 
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an up link channel^ for example fin each case) a TDMA time slot on a 
particular frequency allocated on imtiation of a GaJl» u disclosed in paxent 
applications 

GB 22B8913 and GB 2293725. The satellites 4 in this embodiment are non 
s geostationary and thus, periodically^ there Is hand over from one satellite 4 to 
another. 

Mohile terminal 2 

Keferring to Figure 2, the mobile terminal equipment of Figure 1 is shown. 

10 One suitable form is a handsec, as shown. Details of the handsets 2a,2b etc 
will not be described and are similar to those presently available for use with 
the GSM system, comprisiDg a digital coder/decoder 3D, together with 
conventional microphone 36, loudspeaker 34, battery 40, keypad components 
38, a radio frequency (RE) interface 32 and antenna 31 suitable for satellite 

t> conimunications* Preferably a display 39, for example a liquid crystal display, 
is also provided. A 'smart card' reader 33 receiving a smart card (SIM) 35 
storing user infonnadon is also provided. 

The coder/decoder (codec) 30 comprises a low bit rate coder, generating a 
70 speech bit stream at around 5.6 kilobits per second^ together with a channel 
coder applying error correcting encoding, to generate an encoded bit stream at 
a rate of 4.8 kilobits per second. The low bit rate coder may, for example* be 
a linear predictive coder such as a multiple pulse pi^dictive coder (MPLPC), a 
code book excited linear predictive coder (CELP), or a residual excited linear 
25 predictive coder (RELP). Alternatively, it may employ some form of 
waveform coding such as subband coding. 

The error protecdon encoding applied may employ block codes, BCH codes, 
Reed-Solomon codes, turbo codes or convolutional codes. The codec 30 
3Q likewise comprises a corresponding channel decoder (e.g. tising Viterbi or soft 
decision coding) and speech decoder. 
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Also provided b a control circuit 37 which may in practice be integrated 
with the coder 30, consisting of a suitably programmed microprocessor^ 
mtcrooontroller or digital signal processor (DSP) chip. 

s The SIM 35 preferably complies with GSM Recommendatioiis 02.17 

"Subscriber Identity Modules", and and is preferably implemented as an 
industry standard "Smart Card". The SIM 35 and reader 33 arc therefore 
preferably as described in International Standards ISO 7310, 7811 and 7816; 
these and GSM 02.17 and 11.11 are all incorporated heretn by reference. 

Specifically » the SDvf 35 includes a processor 35a and permanent memory 35b. 
The processor 35a is arranged to perform some encryption functions as 
described in greater detail below. 

Earth Station Node 6 

The earth station nodes 6 are arranged for communicacion with the satellites. 

Each earth srarion node 6 comprises, as shown in Figure 3, a conventional 
satellite earth station 22 consisting of at least one satellite tracking antenna 24 

2D arranged to track at feast one moving satellite 4 KB power amplifiers 26a for 
supplying a signal to the antenna 24, and 26b for receiving a signal from the 
^ antenna 24; 9n<i a. control unit 2% for storing the satellite epkemeris data, 
controlling the steering of the antenna 24» and effecting any control of the 
satellite 4 that may be required (by signalling via the antenna 24 to the 

2> satellite 4), 

The earth station node 6 further comprises a mobile satellite switching centre 
42 comprising a network switch 44 connected to the trunk links 14 forming 
part of the dedicated network. A multiplexer 46 is arranged to jneceive' 
30 switched calls from the switch 44 and multiplex them into a composite signal 
for supply to the amplifier 26 via a low bit-rate voice codec SO. The earth 
station node 6 also includes a local store 48 storing details of each mobile 
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terminal equipment 2a within the area served by the saidliie 4 with which the 
node 6 is in conununication. 

Gateway 8 

5 Referring to F^re 4, the gateway stations 8a,8b comprise, in this 

embodiixient^ commerdally available mobile switching centres (MSCs) of the 
type used In digital mobile cellular radio systems such as GSM systems. They 
could alternatively comprise a part of an international or other exchange 
forming one of the PSTNs 10a, 10b operating under software control to 
10 interconnect che networks 10 with the satelhte system trunk lines 141 

The gateway stations 8 comprise a switch 70 arranged to interconnea 
incamiag PSTN lines from the PSTN 10 with dedicated service lines 14 
conneaed to one or more Earth station nodes 6^ under control of a control 
2S unit 72. The control unit 72 is capable of communicating with the data 

channel 60 connected to the database station 15 via a squalling unit 74, and is 
arranged to generate data messages in some suitable format (e,g. as packets or 
ATM cells), 

20 Also pro\dded in the gateway stations S is a store 7S scoring billing, service 
and other information relating to those mobile terminals 2 for which the 
gateway station 8 is the home gateway station. Data is written to the store 76 
by the control unit 72 after being received via the signalling unit 74 or switch 
70, from the PSTN 10 or the Earth station nodes 6 making up the satellite 

2S network. This store acts in the manner of a visitor location register (VLR) of 
a terrestrial GSM network, and a commeidally available VLR may therefore 
be used as the store 76. 

The satellite system trunk lines 14 comprise, in this embodiment, high quality 
30 leased lines meeting acceptable minimum criteria for signal degradation and 
delay. In this embodiment, all the lines 14 comprise terrestrial links. The 
trunk Unes 14 are preferably dedicated lines, so that the lines 14 form a 
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separate set of physical channels to the networks 10. However, the use of 
virtud cireuies through the networks 10 is noi exicludcd. 

Database Station IS 

y Referring to Figiure 5, the datsibase stsaion 15 comprises a digital data store 54, 
a signalling circuit 56^ a processor 58 interconnected wiih the signalling circuit 
56 and the store 54» and a signalling link 60 interconnecting the database 
station 15 with the gateway stations S and Eanh stations 6 making up satellite 
system network, for signalling or data message communications. 

10 

The store 54 contains, for every subscriber terminal apparatus 2, a record 
showing the identity e.g. the Internationa] Mobile Subscriber Identity or 
IMSt the cunrent status of the terminal 2 (whether it is "local" or "global" as 
will be disclosed in greater detail below); the geographical position of the 

js mobile terminal 2 (either in coordinate geometry, or as code identifying an 
area within which it hes); the "home" gateway station 8 with which the 
apparatus i* registered (to enable bOlir^ and other data to be collected at a 
singie point) and the currently active Earth station node 6 with which the 
apparattis 2 Is in communicatioa via the satellite 4. The contents of the store 

2C aie indicated in Figure 6w 

. Further, in this embodiroent the store contains for each user a unique and 
individual enciphering key Ki» to be used as described below. 

29 The signalling unit 56 and processor 58 are arranged to receive interrogating 
data message via the signalling circuit 60 which may be a packet switched 
connection, from gateways 8 or nodes 6^ comprising data idenrifyii^ one of 
the mobile tenninak 2» for example, the telephone number of the equipment 
2, and the processor 58 is ananged to search the store 54 for the status and 

^ aaive earth station node 6 of the terminal 2, and to transmit these in a reply 
message via the data line 60. 
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Thus, in this embodiment the database station 15 acts to fulfil the functions 
both of a home location register (HLR) of a GSM system^ and of an 
authentication centre (AuC) of a GSM system, and may he based on 
commercially available GSM products. 

Satellites 4 

The satellites 4a, 4b comprise generally conventional communications 
satellites, such as the knovn Hughes HS 601 model, and may include features 
as disclosed in GB 228B913. Each satellite 4 is arranged to generate an array 
70 of beams covering a fcx>tpnnt beneath the satellite^ each beam including a 
number of different frequency cjianneb and time slot5» as described in GB 
2293725 and illustrated in Figure 7a. 

The satellites 4 are arranged in a constellation in sufficient numbers and 
i> suitable orbits to cover a substantial area of the globe, preferably to give hill, 
continuous global coverage. For example IC or more satellites may be 
provided in rwo mutually orthogonal intermediate circular orbits at an 
altitude of, for example, 10,500 kilometres as shown in Figure 7b. However, 
larger numbers of lower satellites may be used, as disclosed in EP 
2D 0365885, or other publications relating to the Indium system, for example. 

, Regiuratim and Lccautm 

In one embodiment^ a customer mobile ter min al apparatus 2 may be roistered 
with one of rwo distina statuses; "local" in which the ndobile terminal 
a? apparatus is permitted only to communicate through one local area, or part of 
the satellite system network, and "gjobal", which entitles the apparatus to 
communicate through any pait of the satellite system network. 

The status of each ^paratus 2, i.e. "local" or "global**, is stored in the reconi 
JO held for the apparatus 2 concerned in the store 54 of the database station 15, 
as shown in F^ore 6. 
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The mobile terminal apparatus 2 performi an automatic registration process, 
of die kind well known in the art of cellular terrestrial corrununications, on 
each occasion when the terminal 2 is utilised for an outgoing call; and/or 
^"^hen the apparatus 2 Is switched on; and/or periodically whilst the apparatus 
J 2 is switched on. As is conventional, the registration process takes the form 
of the broadcasting of a si^al ideniifying the mobile terminal 2 (e.g. by 
transmitting its telephone number on a common hailing or signalling 
frequency). 

10 The transmitted signal is picked up by one or more of the satellites 4. Under 
normal circumstances, the signal is picked up by multiple satellites 4, and the 
received signal nrength and/or time of arrival are transmitted, together with 
the identity of the mobile apparatus 2 and the identity of the satellite 4 
receiving the signal, to the database station 15 via the earth station node or 

ij nodes 6 for which the satellites 4 are in communication, and the signalling 
line 60. 

The processor 58 of the database station 15 then calculates^ eg. on the basis 
of the differencial arrival times, the terrestriaJ position of the mobile terminal 

70 apparatus 2, which is stored in the database 54. Also stored h the identity of 
the earth station node 6 most suitable for communicating with the mobile 
terminal apparatus 2 (the "active* st^ion). This is typically found by the 
processor 58 comparing the stored position of the terminal 2 with the 
predecennined stored positions of each of the earth station nodes 6 and 

2> selecting the nearest. However, aoooonc may also or instead be taken of the 
strength of the s^nals received via the satellites 4, or of other factors such as 
network congestion, which may result^ in borderline cases, in the choice of a 
node earth station which is not geographically closest to the mobile terminal 
equipment 2. The identity of the allocated aaive earth station node 6 is then 

JO likewise stored in the store 54 in the reoord for that terminal apparatus. 

CdU Set Up and Routing 
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The processes of routing calls to and from mobile terminal apparatus 2 are 
described fully in GB.A-2295296 and PCT/GB95/01087, both of which are 
hereby incorporated fully by reference. Briefly, for a local user outside its 
area, a call placed to the user or from the user Is referred to the database 
i station which determines that the user is outside of its area and thereafter does 
not process the calL 

For a local user which is inside its area, in the preferred embodiment 
described in the above referenced British and International application, calls to 

19 or from the mobile user and a conventional terrestrial user connected to one 
of the PSTNs are set up over the satellite link, via the active earth station 6^ 
the ground network, and the international public swkch telephone network 
pPSThO from the nearest gateway 8 to the terrestrial user. 

15 For global users, calls are routed via the satelltte and the active earth station, 
then via the ground network to the gateway station 8 nearest to the terrestrial 
nser. 

The dial numbers allocated to mobile users may have "International" prefixes 

20 followed by a code corresponding to the satellite service network. 
Ahematively^ tbcy could have a national preGoL followed by a regional code 
assigned to the satellite service. 

Calls between one mobile user and another are carried out by directing the 
2} signal via a first satellite link down to the active earth station node of the first 
mobile user, via the ground network to the active earth station node of the 
second mobile user (which may be, but is not necessarily, the same as that of 
tbc first) and then via a second satellite link (which may^ but does not need to 
be via the same satellite) to the second mobile user. 

30 

First EmbodCment 

Figure B shows in greater detail the signal flow thttnigh the elements of the 
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mobile terming of Figure 2. Sig;nals received from the aerial 3! are RF 
demodulaced by RF modem 32 and supplied to die processor circuit 37 which 
is arranged^ when in enciphering mode^ to decipher the received data using, 
for example, the A5 algorithm in accordance with a deciphering key supplied 
y from the SIM 35. The deciphering key is referred to as K^. 

The deciphered bit stream is then passed to a channel codec 30b which 
performs error correaing decoding and the error corrected speech signal is 
supplied to low bit rate codec 30a which includes a digptal to analog 
10 converter, the analog output of which is supplied to lotidspeaker 34.= 

Speech from the microphone 36 is supplied to the low bit rate codec 30a 
which includes an analog to digital converter^ and the resulting low bit rate 
speech signal is encoded by the channel codec 30b to include error protection. 
iS The error protected bit stream is then encrypted, when in enciphering made, 
by the control circuit 37 and the encrypted bit stream is supplied to the RF 
modem 32 for transmission from the aerial 31. 

Referring to Figures 9, 10 and 11, the process of setting up the enciphered 
20 mode of oammunication will now be described in greater detalL 

During a commuoication session between two user terminals 2a>2br a user of 
one or both terminals elects to continue the conversation in encrypted form. 
Accordingly, referring to Figure 10, in step 1002 the invoking party enters a 
2f sequence of key strokes from the keyboard 38> or operates on a special kej*^ 
which is rea^nised by the processor 37 as an instruction to invoke security, 
and accordingly the processor 37 transmits, in step 1002, a signal to invoke 
enciphering on an inband or aissociated control channel. 

30 Referring to Figure 1 1, at the earth station 6, in step .1102 the privacy request 
signal is received and in step 1104 the signal is sent to the central database 
station 15 together with the identity codes indicating the identities of the 
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cerminals 2a and 2b, and ro the second user terminal 2b. 

At the second user terminal 2b, receipt of the ptivacy signal occurs in step 
1002 of Figure 10. 

5 

Referring to Fig;ure 12, at the central database station the privacy signal is 
received in step 1202. 

In step 1204, the controller 58 of the database station 13 accesses the memory 
10 54 and reads out the individual cnctphering key K, stored for the first mobile 
terminal 2a, and the key stored for the second mobile terminal 2b. 

In step 1206, the controller 58 generates a pseudo nmdom number (RAND). 

In this embodiment, the keys K« and K|, arc each 128 bit binaxy numbers and 
the random number RAND is another 128; bit binary number. 

In step 1208, the controller 58 calculates first and second pardal keys K,> K^. 

The calculation of the first partial key is illustrated in Figure 13; this 
20 calculation comprises generating a 128 bit number each bit of which comprises 

the exclusive OR function of the bits in correspondii^ positions of the second 

tenmna] key and the random number RAND. Thus, the second partial 

key is given as foUovs 

Kp. - + RAND 
25 (where -i- indicates a binary addition operation). 

The second partial key Kj^ is calculated in exactly the same way, by 
performing a bit-wise exdusive-OR operation between the first terminal key 
Kb and the random number RAND, as shown in FigurB IS. 

JO 

In step 1210 of Figure 12, the central database station 35 transmits the first 
partial key (KpJ, to the Srst terminal 2a and tlie second partial key (Kp^) co 
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ihe first tenninal 2b, via the signalling network 60, and the respective eaitW 
stations 6b and 6a and satellites 4b and 4a. 

At this sta^c, each individual terminal key has been "scrambled" by the binary 
s addition operation with the random number RAND. An unauthorised 

eavesdropper who monitors one of the partial keys cannot karn the terminal 
key from it because there arc two unknowns; the random number RAND and 
the terminal key. Even an imauthorised eavesdropper who monitors both 
partial keys cannor derive either the random number or one of the tenninal 
to keys, because he has only two data from which to derive three unknowns; the 
best that can be derived is the difference between the two terminal keys, 
which is of no valtie. 

Referring now to Fig;ure 11, in step 1106 each earth station receives the partial 
IS key and forwards it to the mobile terminal in step 1108. 

Referring to Figure 10, in step 1004, each of the mobile terminals (2a, 2b) 
receives a comsponding partial key QL^ Kpt). In step 1006, the partial key is 
tzaosnutted via the card reader 33 to the SIM 35. 

20 

Referring to Figure 13, in step 1302, the SIM receives the partial key and in 
step 1304 the SIM reads the texmioal key from within the memoi^ 35b. In 
step 1306^ the SIM processor 35a recovers the binary number RAND by 
comparing tbe stored terminal key from the partial key Kp^, to generate a 
7S new 128 bit binary mmiber« The comparing step is earned out by cxclusive- 
ORing Kp, and K,. Thus, the SIM prooessor computes a code K,,. where 

- K, + CRAND) - K, 
- (RAND) 

JO In step 1308, the SIM 35 supplies •> (RAND) the card reader device 33 to 
the tenninal processor 37. Tbe code is used as an enciphering key for data 
to be transmitted. 
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Likewise, at tlic second tcnninal 2b, the value of - (RAND) is computed 
by subtracting the stored value Kb in the SIM of the terminal from the second 
partial hey i^ 

J « Kb + (RAND) - Kt 
= (RAND) 

Thus, each terminal 2a, 2b, calculates the same endphermg key — 
(RAND). 

ifl Referring back to Figure 10, in step 1008, the tenniiial processor 37 receives 
the encryption key aod in step 1010 the termmal 37 switches to 

encryption mode. Thereafter, at step 1012, the processor 37 functions to 
encrypt the bit stream from the codec 30 prior to RF modulation and 
transmission, and to decrypt the corresponding bit stream from the RF 
IS modem 32 prior to supply thereof to the codec 30 using the key K^, 

The encryption algonthm may be any suitable algorithm and may be openly 
known, since the encryption key itsdf is secret. The encryption algorithm 
is conveniently the A5 encryption algorithm used in GSM handsets and 
.20 described in the above referenced GSM Recommendations. 

Thus» to recap, as shown in Figune 9, in this embodiment each terminal 2 has 
an associated unique terminal key which is stored in the SIM 35 held within 
che terminal and in the central database station 15. The enciphering key 
2s used is a function of the random number (RAND) generated in the remote 
database station 15 which distributes it to 2a, 2b in a masked form, in the 
partial keys K,^ K^i,. 

Transmitting the terminal keys in masked form prevents an eavesdropper 
30 from gaining access to either tenninal key. By changing the maskit^ on each 
session operation namely by generating a continually changing sequence of 
pseudo-random numbers (RAND), an eavesdropper cannot learn the masking 
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function over time. 

Nor is it possible for cither terminal or SIM to work out the other's terminal 
key, since this is xnasked even from the terminals themselves. 

Second Embodiment 

In a second embodioient, security is further improved by reducing the 
opporcuoities for unauthorised tampering at the central database station. The 
second embodiment works substantially as the first except that, as shown in 
to Figure 14, instead of steps 1204 to 1210 of Figure 12 being performed, steps 
1404 to 1420 arc performed. 

Accordingly, after step 1202, the processor 58 first accesses the first terminal 
key K. in st^ 1404, then calculates the random number in step 1406 (as 
i5 described in relation to step 1206), then calculates the fir^t partial key K^. in 
step 1408 (as described in relation to step 1208),and then sends the first partial 
key in step 1410 (as described in relation to step 1210). 

After these operations, any locally stored copies of and K^, are erased. 
20 Then, in stq> 1414, the processor 58 accesses the second terminal key Kb» 
calculates the second panial key (step 1416), sends the second partial key 
(step 1418), and erases the second partial key and second terminal key (step 
1420). 

2J Thus, in this embodiment^ access to the two partial keys and terminal keys is 
separated in time, reducing the possibilities for eavesdropping or fraudulent 
use of the database station 15. 

It will be apparent that access to the two partial keys and/or terminal keys 
JO coidd be separated in other ways; for example, by sending the two terminal 
keys to physically separate devices and then sending the random number to 
each of the devices for combination there with the terminal keys. 
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Rather than sending the same random number to two different devices^ for 
additional security, two identical, Lo-step, random nixmber generators may be 
provided at two different locations^ to which the two terminal keys are sent. 
Thus, access to the two terminal keys and/ or partial keys may be separated 
J physically as well as, or instead of, in time* 

Third Embodiment 

In this embodiment^ security is further increased by enciphering each of the 
partial keys K^, for transmission. Although it would be possible to use a 
20 common cipher, this would be undesirable since eavesdroppers with access to 
the common cipher (e,g, other authorised users of the privacy service) might 
be able dedpher the cipher. 

Equally, it is preferred not to use an air interface cipher of the type known 
/> in the GSM system because this would be open to interception in the fixed 
pare of the network. 

Accordingly, in this embodiment, the SIM 35 stores a decryption algorithm 
(which may conveniently be the A5 algorithm used in GSM systems) and the 
20 database staition 15 is arranged to execute the corresponding encryption 
algorithm. 

Referring to Figure 17a» in this embodiment the process of Figure 12 of the 
first embodiment is modified by the inclusion of a step 1209, between steps 
25 1208 and 1210> in which each partial key is enciphered using the terminal key 
of the terminal to which it will be sent and is transmitted in enciphered form. 

At each terminal, referring to Figure 17b, in this embodiment the SIM 
processor 35a performs an additional step 1305 between steps 1304 and 1306. 
JO In step 13D5, the received partial key is decrypted using the terminal key, 
prior to calculating the ciphering key. 
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Thus, ia this embodiment, additional security is provided by cacrypcing the 
tnuistnkccd partial keys and conveoiendy. the encryption makes use of the 
terminal key of the destination tenninal^ so to avoid the need to store further 
encryption data. 

Obviously, however* other forms of encrypuon are possible; in particular, 
mote sophisticated enayptioa algorithms in which an additional random 
number is also sent would be possible. 

Fourth Embodiment 

In this embodiment, the principle of the first embodiment is utilised, in 
combination with the air interface cncipherment and authentication syscem 
presence in GSM compatible networks and specified in the above GSM 
xccooimendations. 

Referring to Figure 14, the security features are applied in the following order 

Authentication (step 2002); Air-Interface encryption (step 2004); End-to-End 
encryption (seep 2006). 

The first two steps are as in existing GSM networks and the third is as 
described above as in relation to the first embodiment. The process will 
now be described in more detail. 

Referring to Figure 19a» the fiinaions performed by the handset processor 37 
and SIM 35 will be described as separate functional blocks; each fiunaiona] 
block could, of course, be implemented by a separate microprocessor or digital 
signal processor (DSP) device but in this embodiment, in fact, only one such 
processor device is present in the handset and one in the SAN 35. 

Referring to Figure 19a, signals received from the antenna 31 and demodulated 
by the RF modem 32 are passed through a first enciphering/deciphering stage 
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372 arranged to apply ihe AS algorithm known from GSM in accordance with 
an air interface enciphering key and a second enciphering^deciphering 
stage 374 arranged to apply a second deciphering algorithm (conveniently, 
again» the AS algorithm used in the GSM system and described in the above 
> Recommendations) deciphering in accordance with an end-Co-end enciphering 
key K, The deciphered bit stream is therrafter supplied to the codec 30. 

Similarly, the speech bit stream from the codec 30 passes through the two 
enciphering/deciphering stages 372j374 in the reverse ordei^ for clarity, the 
10 signal path has been omitted from Figure 19a. 

Within the SIM 35 ts located a terminal key storage roister 352 storing the 
terminal key for the terminal, in this case for the terminal 2a. The 
terminal key storage register 352 is connected to supply the terminal key to 

is a signature calculation sta^e 354, arranged to calculate a "signed response" 
number (SRES) used to authenticate the terminal, in accordance with the A3 
algorithm described in the above mentioned GSM Recommendations and used 
in GSM systems. The response calculation stage 354 is also connected, via 
the card reader device 33, to receive a random number (RANDl) from the 

20 unenciphered bit stream output from the RF modern 32. 

The terminal k^ register 352 is also conneaed to supply the terminal key 

to a first key generation stage 356, which is also arranged to receive the 
random number (RANDl) and co calculate therefrom an air interface 
25 enciphering key Kc tn accordance with the AB algorithm described in the 
above GSM Recommendations and tised in GSM systems. The key thus 
calculated is supplied, A'ta the card reader device 33, to the first (air interface) 
enciphering/deciphering staga 372 of the terminal processor 37. 

30 The terminaJ key register 352 is also connected to supply the terminal key to 
a second key generation stage 558, which is arranged to generate an 
enciphering key for cnd-to*ead encryption (by an exclusive OR function as 
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described in the first embodiment) utilising the terminal key K^^ and the partial 
key Kp« which it is connected to receive (via the card reader derice 33) from 
the deciphered output of the (irsc (air interface) endphcring/ deciphering stage 
372 of the tenninal processor 37. 

f 

The end-io-end enciphering key thus calculated is supplied to the second [end- 
tc-end) cndphering/ deciphering stage 374 of the terminal processor 37, 

Referring to Figure 15b» the central database station 15 comprises, in this 
10 embodiment, a random nutnber generator 582 arranged to generate, on each, 
occasion of tisc, a new binary 128 bit number (RANDl) in a random sequence; 
a store 54 storing the terminal keys K;; a key generation stage 584 which is 
connected to receive a terminal key from the store 54» and the random 
number (RANDQ, and to calculate therefrom an air interface enciphering key 
n K« in accordance with the AS algorithm described in the GSM 

recommendations and used in GSM systems; and a signature calculation stagje 
586, which likewise is connected to receive the terminal key and the random 
number (RANDl), arranged to calculate the signed response number (SRES) 
in accojtlaDce with the A3 algorithm described in the above mentioned GSM 
20 Recommendation and used in GSM systems. 

The ouqnits of the random number generator stage 582, signed response 
generator stage 586 and key generation stage 584 are connected to the 
. signalling circuit 56 for transmission to the earth stations 6. 

Referring to Figure 19c, each earth station 6 comprises (within the database 
48) a triplet register 482 arz^anged to store a predetermined number (e.g. 5) of 
triplets each comprising a random number, a corresponding SRES and a 
corresponding air interface encryption key K^, supplied via the signalling 
30 circuit 60 from the database station 15. 



On each occasion when a mobile tenninal 2 registers with the earth station 6, 
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ihe earth station requests the supply of the predetermined number of triplets 
from the centra] database station 15, which accordingly generates the 
predetermined number of triplets and transmits them for storage in the 
registers 482 via signalling channel 60. 

Also provided within the earth station 6 is a comparator 282 coupled to the 
triplet register 482 and to the air interface components 24, 26 of the earth 
station 6, and.arnuiged to compare a signed response (SRES) number received 
from a mobile termind 2 with a signed response stored in the register 432, 
ro and to indicate correspondence (or absence tiiereoQ between the two numbers. 
If the two numbers do not correspond^ the user is not authenticated and 
service is discontinued by the control unit 2S, 

FinaUy, the earth station 6 comprises an stir interface encryption stage 284 
13 arranged to encipher and decipher in accordance with the AS algorithm 
(known from GSM) making use of an air interface enciphering key 
supplied from the triplet register 482. 

In the enciphering direaion, the air interface enciphering/deciphering stage 
20 284 receives an input from the codec 50 (Figure 3) and delivers its output to 
the air interface components 24^2^ whereas in the deciphering direction the 
enciphering/deciphering stage 284 receives its input from the air interface 
components 24, 26 and delivers its output to the codec 50. 

25 The operation of this embodiment will now be described in greater detail 
with reference to Figures 16a to 16d. In Figures 20 to 23, steps of the 
processes of Figure 10 to 13, which will not be discussed further in detail, are 
incorporated. 

JO As in Figure 10, a request for privacy is initiated by one of the parties and a 
privacy request signal is transmitted from the terminal 2a. 
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Following reccipc (step 11Q2) of the privacy signal at the earth station 6a and 
forwarding thereof (step 1104) xo the database station 15, referring to Figure 
16c, steps 1202 and 1204 are performed to derive the terminal keys of the two 
terminals. 

Then, in step 1205, a test is performed to determine whether both subscribers 
are auttoriscd to use end-to-end encryption. If so> steps 1206 to 1210 of 
Figure 12 are performed. Subsequentij, or if not, the database station 15 
proceeds to step 1212» in which it transmits a signal zo the earth station(s) 
10 6a,6b serving the two terminals 2a,2b to instruct them to perform a Cerniina] 
authenncation check and to oommence air interface encryption. 

Referring back to Figure 21, each earth station 6, on receipt of the instruction 
signal and partial key (step 1110), sends an authentication interrogation 
js message (step 1112} which includes the next random number RANDl 

obtained from the triplet register 4S2. Additionally, as in the GSM system, a 
key number may be transmitted for further verification. 

Referring back to Figure 20» on receipt of the authentication request message 
30 (st^ 1014) the random number (RANDl) is extracted and sent to the SIM 35 
(step 1016). 

Referring to Figure l6d, at the SIM 35, on receipt of the random number 
RANDl (step 1310), the SIM processor 35a looks up the terminal key K,, 
7S (step 1312} and calculates the signed response (SRES) using the A3 algorithm 
(step 1314). 

In step 1316, the SIM processor 35a calculates the air interface enciphering key 
Kc using the random number (RANDl) and the . terminal key K«. In step 
JO 1318, the SIM 35 transmits the signed response number (SRES) and the air 
interface enciphering key QQ to the terminal processor 57 via the card reader 
device 33, 
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Subsequently, the SIM 35 executes the process of Figure 13. 

Referring to Figure 20, on receipt of the signed response number (SKJE^ in 
step 1018, the terminal processor 37 transmits the SRES oumber to the earth 
s station 6a (step 1020). 

Referring to Figure 21, the earth station 6 receives the sig;ned response 
number (1 1 14) and compares it with the stored signed response number held 
in the triplet register 482 (step 11 16). 

20 

If the two do not match» the call is terminated (step 1117). Alternative Jy, 
further attempts at authentication may be made if desired* 

If the signed response received from the mobile terminal 2 matches the stored 
ti signed response in step 1116, the earth station '6 reads the enciphering key 
stored in the triplet register 482 corresponding to the signed response just 
received, and (step 1118) commences encipheriog all future traffic to, and 
deciphering ail future traffic from, the mobile terminal 2 using the AS 
algorithm together with the enciphering key K^. As is conventional in GSM 
20 systems, the frame number may also be used as an input to the enciphering 
algorithm. 

The earth station 6 thereaher rerums to step 1108 of Figure IL, to send the 
partial key Kj^ recdvcd from the database station 15 to the terminal 2a, but in 
IS this embodiment this takes place in enciphered form. 

Returning to Figure 16a, on receipt of the air interface encryption key K^. 
(step 1022) from the SIM 33, the terminal processor 37 starts the enciphering/ 
deciphering mode in which all traffic received from the air interface modem 
jQ 32 is deciphered and all traffic transmitted to the air interface modem 32 is 
enciphered using the AS algorithm and the air interface enciphering key Kc; 
where the earth station 6 additionally makes use of the frame number, the 
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terminal 2 likewise does so. 

The process performed by the terminal processor 37 of terminal 2a (in this 
example) then returns to step 1004 of Figure 10, to receive (in encrypted 
J form)» decrypt and use the partial endphering key received from the earth 
station & A corresponding process is peiformed for the terminal 2b. 

Although the above descripcion assumes that neither terminal has recently 
been authenticated, and that neither terminal Is already In air interface 
w encryption mode, it will be understood thai chis need not be the cetse. If 
either terminal is already applying air tmerface encryption, then the 
corresponding steps described above to set up authentication and air 
interface enciphering are not performed again* 

is In the above embodiment, additional safeguards may be provided^ for 

example, to initiate secure communications, the terminal user may be required 
to ii^c a PIN code for matching with data held on the SIM. 

It win be understood that^ where the invention is practised in a GSM- 
» compatible system or the like, the SIM 35 will contain further information in 
the form of the international mobile subscriber identity number (IMSI), and 
optionally lists of phone numbers for speed dial or other purposes. 

Conference Calls 

2J The encryption scheme according to the invention has the significant 

advamage that the common encryption/decryption code Kr. that is formed in 
each of the terminals 2a, 2b consists of the random number (RAND) supplied 
from the data base station 15« Thus» in the methixl according to the 
invention, the length of the encfyptiDn/decr3rption code is independent of 

M the number of terminals used during the call. This has implications for 
conference calls as will now be explained with reference to Figure 24. This 
Fig;ure corresponds generally to Figure 9 bm illustrates more than two user 
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terminals, for use in x conference calL In Figure 24> three terminals are 
^bowo, namely cerminai 23,. 2b and 2a which each form a respeaive 
commnnicacion link with a earth station 6a, 6b) and Ga. 

> In order to $et up the conference call, partial keys K^,, K^i, and arc 

transmitted from the central database station 13 to each of the earth stations 
6a, 6b and 6n and the keys are then transmitted to the respective user 
terminals 2a, 2b, 2n« The partial keys are then decoded at the user terminals 
respectively in the manner pnevionsly described such that each terminal 

to develops the common eocxyption code «■ (RAND). The terminals can 
then use the common code K^^ to encrypt and decrypt data for the conference 
call between the three user terminals. It will be appreciated that although 
three terminals are shown, much Jailer numbers could be used for the 
conference calL This contrasts with the method described in our prior GB 

t> 9611411.1 in which each terminal needs to be provided with data based on the 
terminal key codes for all the other terminals used for the call and so when 
many terminals are used in a conference call, the encryption code becomes 
e3ctreznely long and cumbersome* 

2a One or more additional tenninals may join in a call whilst it is in progress, 
either to expand a normal two party call into a three party conference call or 
to increase the number of parties in a conference caJl. To this end, the joining 
party is soit a masked version of the code RAND from the base station 15 
together with the frame number for the data transmission that is going on 

2S between the parties, so that the joining party can use the locally held A5 

algorithm to compute the current value of the encryption key and join in the 
transmitted data flow . 

The ability to set up secure conference calls between many user terminals has 
3Q particular application fbr secure closed user group (CUG). To this end, the 
database station 15 may indude a List of members of a dosed user group 
which are permitted to correspond with other members in a conference coll or 
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individually. For example, a closed user group may comprise armed services 
personnel or emergency services personnel. In a modificacion, more than one 
database station 15 is provided and a supervising database station (not sKown) 
may be used to in order to coordinate more than one CUG to allow them to 
s sbare facilities, for example on a temporary basis so that for a particular 
project e.g. a combined service operation, the CUGs may communication 
with each other over conference calls or individually in a secure^ encrypted 
manner. In another modification, a single database station 15 is used and, for 
the ten^rary period of cooperation, all user terminals are provided vith 
10 reprogramroed SIM cards to allow secure communication within the= 
temporary group. 

Other Embodiments 

Many modifications and alternative to the previously described embodiments 
IS will be apparent to the skilled person and are within the scope of the present 
invention. 

For example, in practice, duplex transmission occurs between, the user 
terminals on different channels. For additional security different individual 
20 codes may be used for each of the duplex channels, produced by means of 
separate partial keys transmitted from the database station 15, using different 
values of the pscudo random number (RAND) far each channel. 

The numbers of satellites and satellite oxbits indicated are purely exemplary. 
V Smaller numbers of geostationary satellites, or satellites in higlier altitude 
orbits, could be used; or larger niunbers of low. earth orbit (LEO) satellites 
could be used. Equally, different numbers of satellites in intermediate orbits 
could be used, 

j(? Although TDMA has been mentioned as suitable access protocol, other access 
protocols can be used such as code division multiple access (CDMA) or 
frequency division multiple access (FDMA). 
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"^Kliilst the principles of the present iavencioa are envisaged al>ove as being 
applied to satellite communication systems^ the use of the invention in other 
communications systems e.g. digital terrestrial cellular systems such as, but 
not limited to GSM, is also possible. 

5 

Although, for the sake of convenience, the term '"mobile" has been used in the 
foregoing description to denote the terminak 2, it should be understood that 
this teim is not restricted to hand4ie]d or bandponable terminals, but 
includes, for example, teiminals to be mounted on marine vesseb or aircraft, 
19 or in terrestrial vehicles. Equally^ it is possible to practice the invention with 
some of the terminals 2 being completely immobile* 

Instead of providing a single central database station 15 storing details of aU 
terminal equipment 2, similar details could be stored at the home gateway B 
If for all terminal equipment to register with that home gateway 8. 

Whilst in the above described embodiments the central database station 15 acts 
as a Home Location Register (fILR) of a GSM system* and may be provided 
using conunercially available HLR hardware,, and the databases within each 
29 earth station 6 act in the manner of visiring location registers (VLRs) and may 
likewise use commercially available GSM hardware, it will be understood that 
the information relaung to different users could be distributed between several 
different databases. There could, for instance, be one database for each closed 
user group, at physically different positions. 

25 

Whilst in the fourth embbdinaent above the same terminal key Kj is used 
for secure end-to-end encryprion as is used for air intexface encryption, it 
will be dear that this is not necessary^ each terminal could store two different 
terminal keys, one for air interface encryption and one for eod-to-end 
sa encryption. In this case, a separate authentication centre database could be 
provided for end-to-end encryption key distriburion to that which is used in 
conventional air interface encryption. 
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Although in ihe foregoing embodiments, the same (AS) cipher algorithm used 
for the air interface ejicryption of the GSM system is used ia ead-to-€nd 
encryption, k will be apparent that a cBfferent cipher could be used; in this 
case, terminals would include two different enciphering stages for use in the 
5 fourth embodiment. Further, where multiple closed user groups are 
provided, each closed user group could use a di&rent dphef. 

In the foregoing, the gateways S may in fact be con^iised within an ISC or 
exchange or mobfle switching centre QMSC) by providing additional 
10 operating control programmes performing the function of the gateway. 

In the foregoing, dedicated g;round networks lines have been described, and 
are preferred. However, use of PSTN or PLMN links is not excluded where, 
for example, leased lines are unavailsd^le or where temporary additional 
/5 capacity is required to cope with traBic conditions. 

It will undentood that the stores within the gateways 8 need not be 
physically co-located with other components thereof, provided they are 
connected via a signalling link. 

Whilst, in the foregoing, the term "global" is used, and it is preferred that the 
sarellite system should cover all or a substantial part of the globe, the 
invention extends also to similar systems with more restricted coverage (for 
exannple of one or more continents}. 

Whilst the forgoing embodiments describe du{dex communications systems, it 
will be dear that the invention is equally applicable to simplex (one way) 
transmission systems such as point-to-multipoint or broadcast systems* 

so Whilst the preceding, described embodiments are direct transmission sysiemSf 
it will understood that the invention is appUcable to store-and-farward 
communications systems in which one patty transmits a message for storage 
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and subsequent later transmission to the other party. 

One example of such a store>and-forward system is e-mail^ for example of the 
type provided by Compuserve'" or MCI~ Another example is the fntemet, 
which, as is well known, consists of a number of host computer sites 
interconnected by a backbone of high speed packet transmission links, and 
accessible for Qe transfer from most points in the world via public 
telecommunications or other networks. 

In an embodiment of tbis t>pe, a central database station 15 need not 
distribute keys to both terminals at the same tim^ instead, distribution of the 
partial key to the tiansmiuing terminal may take place at the time of 
transmission of a file of data for storage in encrypted form, and distribution of 
a partial key to the receiving terminal may take place substantially later, for 
example, at the next occasion when the receiving terminal is connected to the 
network and/or the next occasion when the receiving terminal wishes 
download die file from intermediate storage in a host computer. 

It will be understood that whilst the previously described embodiments 
concern voice transmission^ the invention is applicable to the encryption of 
data of any kind and particularly^ but not exclusively, to image data^ video 
data, text files or the like. 

It will be understood that the geographical locations of the various 
oomponents of the invention are not important, and that different parts of the 
sysxexn of the above embodiments may be provided in differem national 
jtirisdictions and the present invention extends to any part or component of 
tclcoo mm u n ic ations apparatus or system which contributes to the inventive 
concept. 
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Brief Description of Drawings 



Figure 1 is a bloclc diagram showing schematically the elements of a 

communication system embodying the present invention; 

Figure 2 is a block digram showing schematically the elements of mobile 

terminal equipment suitable for use with the present invention; 

F^re 3 is a block diagram showing schematically the elenMits of an Earth 

station node forming part of the embodiment of Figure 1; 

Figure 4 is a block diagram showing schematically the elements of a gateway 

station forming part of the embodiment of Figure 1; 

Figure 5 is a block diagram showing schematically the elements of a database 
station fomiLng part of the embodiment of Figure 1; 

Figure 6 illustrates the contents of a store forming part of the database station 
of Figure 5; 

F^ure 7a illustrates schematically the beams produced by a satellite in the 
embodiment of Figure 1; 

F^ure 7b illustrates schematically the disposidon.of satellites forming part of 
Figute 1 in orbits around the earth; 

Figure 8 is a block diagram showing the signal flow between components of 

the handset of Figure 2 in a first embodiment of the invention; 

Figure 9 is a schematic block diagram showing the flow of encryption data 

and signals between the components of Figore 1 in the first embodiment; 

Figure 10 is a flow diagram showing schematically the pmcc53 performed by 

the control and enciphering components of the handset of Figure 8 in the first 

embodiment; 
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Figure 1 1 is a flow diagram showing schematically ihe process of operation of 
the earth station of Figure 3 in the first embodiment, 

Figure 12 is a flow diagram showing schematically the process of operation of 
the centra] database station of Figure 4 in the first embodiment; 
i Figure 13 is a flow diagram showing schematically the process of operation of 
a subscriber information module (SIM) bdd within the handset of Figure 8 in 
the first embodiment; 

Figure 14 is a flow diagram illustrating schematically the st^es of security 
provided in a fourth embodiment of the invention; 

20 F^ure 15 is a an illustrative diagram showing the stages of formation of the 
enciphering key by a first handset terminal of Figure S; and 
Figure 16 is a corresponding illustrative diagram showing the proems of 
formation of the enciphering key at a second such handset,- 
Figures 17a and b is a flow diagram modifying the operation of dwt of Figures 

js 12 and 13 in the third embodiment of the invention; 

Figure 19a is a block diagram showing schematically some of the functional 
elemenis present in the handset of Figure 8 according to the fourth 
embodiment of the invention; 

Figure 19b is a block digram showing schematically some of the functional 
2C elements present in the database station of the fourdi embodiment. 

Figure 19c is a block diagram showing schematically some of the functional 
elements present in die earth station of the fourth embodiment 
Figure 20 (incorporating parts of Figure 10) is a flow diagram showing 
schematically the c^ieratipn of a handset according to the fourth embodiment; 
25 Figure 21 fmcoiporating parts of Figure 11) is a flow diagram showing 
schematically the process of operation of an earth station according to the 
fourth embodiment; 

Figure 22 (incorporating parts of Figure 12) is a flow diagram showing 
schematically the operation of a database station according to the fourch 
X) embodiment; 

Figure 23 (inoori>orattng parts of Figure 13) is a flow diagram showing 
schematically the operation of a subscriber information module according to 
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the founh embodiment; and 

Figure 24 illustrates how embodiments of the invention can be used for 
conference calls with more than two user terminals. 
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1 Abstract 

A satellite mobile teleoommunications system includes mobile terminab 2a, 2b 
which can communicate with one another using end-to end encryption and 
decryption techniques. When secure end-to-end commtmication is required, 
each terminal uses a common encryption code (RAND) to encode data and 
decode data transmitted between the terminals. The encryption code is 
transmitted in a secure manner from a remote database station (15) to the 
terminals. Each terminal stores a terminal key on its SIM card and 

the keys are also held in the remote station (15). Partial keys (E^ K^) 
comprising the pseudo random number (ELAND) and the keys K,, stored at 
the station (15) are produced at the smion (15) by an exclusive OR process in 
Older to mask the keys and the random number. The partial key « + 
(ElAND) is sent to terminal 2a. At the terminal 2a, the partial key Kp^ is 
exclusive OR-ed with the locally stored tcnninal key on the SIM card, so 
as to recover (RAND). The coxnmon code (RAND) is determined by the 
same process at terminal 2by from Kp^ » Kb+(RAND) and the locally scored 
key K^. The terminals then both run a GSM encryption algorithm (A5) to 
encrypt and decrypt transmitted data, on the basis of the common code 
(RAND). 

2 Representative Drawing 
F 1 g, 1 



